CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645)
This commit is contained in:
parent
52e0800e16
commit
e6600690f8
|
@ -0,0 +1,33 @@
|
|||
From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
|
||||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:07 -0400
|
||||
Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The stack object “tread” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/core/timer.c b/sound/core/timer.c
|
||||
index 6469bedda2f3..964f5ebf495e 100644
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
|
||||
if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
|
||||
if (tu->tread) {
|
||||
struct snd_timer_tread tread;
|
||||
+ memset(&tread, 0, sizeof(tread));
|
||||
tread.event = SNDRV_TIMER_EVENT_EARLY;
|
||||
tread.tstamp.tv_sec = 0;
|
||||
tread.tstamp.tv_nsec = 0;
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
|
||||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:20 -0400
|
||||
Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
|
||||
snd_timer_user_ccallback
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The stack object “r1” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/core/timer.c b/sound/core/timer.c
|
||||
index 964f5ebf495e..e98fa5feb731 100644
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
|
||||
tu->tstamp = *tstamp;
|
||||
if ((tu->filter & (1 << event)) == 0 || !tu->tread)
|
||||
return;
|
||||
+ memset(&r1, 0, sizeof(r1));
|
||||
r1.event = event;
|
||||
r1.tstamp = *tstamp;
|
||||
r1.val = resolution;
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
|
||||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:44:32 -0400
|
||||
Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
|
||||
snd_timer_user_tinterrupt
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The stack object “r1” has a total size of 32 bytes. Its field
|
||||
“event” and “val” both contain 4 bytes padding. These 8 bytes
|
||||
padding bytes are sent to user without being initialized.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/timer.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/sound/core/timer.c b/sound/core/timer.c
|
||||
index e98fa5feb731..c69a27155433 100644
|
||||
--- a/sound/core/timer.c
|
||||
+++ b/sound/core/timer.c
|
||||
@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
|
||||
}
|
||||
if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
|
||||
tu->last_resolution != resolution) {
|
||||
+ memset(&r1, 0, sizeof(r1));
|
||||
r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
|
||||
r1.tstamp = tstamp;
|
||||
r1.val = resolution;
|
||||
--
|
||||
2.5.5
|
||||
|
13
kernel.spec
13
kernel.spec
|
@ -658,6 +658,11 @@ Patch708: propogate_mnt-Handle-the-first-propogated-copy-being.patch
|
|||
Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
|
||||
Patch712: bpf-fix-refcnt-overflow.patch
|
||||
|
||||
#CVE-2016-4569 rhbz 1334643 1334645
|
||||
Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
|
||||
Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||
Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
%endif
|
||||
|
||||
|
@ -1377,6 +1382,11 @@ ApplyPatch propogate_mnt-Handle-the-first-propogated-copy-being.patch
|
|||
ApplyPatch bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
|
||||
ApplyPatch bpf-fix-refcnt-overflow.patch
|
||||
|
||||
#CVE-2016-4569 rhbz 1334643 1334645
|
||||
ApplyPatch ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
|
||||
ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
|
||||
ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2226,6 +2236,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645)
|
||||
|
||||
* Mon May 09 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-4557 bpf: Use after free vulnerability via double fdput
|
||||
CVE-2016-4558 bpf: refcnt overflow (rhbz 1334307 1334303 1334311)
|
||||
|
|
Loading…
Reference in New Issue