[kernel] r16289 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Thu Sep 16 04:41:28 UTC 2010

Author: dannf
Date: Thu Sep 16 04:41:24 2010
New Revision: 16289

Log:
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() (CVE-2010-3080)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Thu Sep 16 04:41:07 2010	(r16288)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Sep 16 04:41:24 2010	(r16289)
@@ -4,6 +4,8 @@
     (CVE-2010-2954)
   * compat: Make compat_alloc_user_space() incorporate the access_ok()
     (CVE-2010-3081)
+  * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
+    (CVE-2010-3080)
 
  -- dann frazier <dannf at debian.org>  Thu, 09 Sep 2010 19:11:27 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch	Thu Sep 16 04:41:24 2010	(r16289)
@@ -0,0 +1,51 @@
+commit d05884ad376194189162c72b060d02024abfdcf6
+Author: Takashi Iwai <tiwai at suse.de>
+Date:   Mon Sep 6 09:13:45 2010 +0200
+
+    ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
+    
+    The error handling in snd_seq_oss_open() has several bad codes that
+    do dereferecing released pointers and double-free of kmalloc'ed data.
+    The object dp is release in free_devinfo() that is called via
+    private_free callback.  The rest shouldn't touch this object any more.
+    
+    The patch changes delete_port() to call kfree() in any case, and gets
+    rid of unnecessary calls of destructors in snd_seq_oss_open().
+    
+    Fixes CVE-2010-3080.
+    
+    Reported-and-tested-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
+index d0d721c..1f133fe 100644
+--- a/sound/core/seq/oss/seq_oss_init.c
++++ b/sound/core/seq/oss/seq_oss_init.c
+@@ -280,13 +280,10 @@ snd_seq_oss_open(struct file *file, int level)
+ 	return 0;
+ 
+  _error:
+-	snd_seq_oss_writeq_delete(dp->writeq);
+-	snd_seq_oss_readq_delete(dp->readq);
+ 	snd_seq_oss_synth_cleanup(dp);
+ 	snd_seq_oss_midi_cleanup(dp);
+-	delete_port(dp);
+ 	delete_seq_queue(dp->queue);
+-	kfree(dp);
++	delete_port(dp);
+ 
+ 	return rc;
+ }
+@@ -349,8 +346,10 @@ create_port(struct seq_oss_devinfo *dp)
+ static int
+ delete_port(struct seq_oss_devinfo *dp)
+ {
+-	if (dp->port < 0)
++	if (dp->port < 0) {
++		kfree(dp);
+ 		return 0;
++	}
+ 
+ 	debug_printk(("delete_port %i\n", dp->port));
+ 	return snd_seq_event_port_detach(dp->cseq, dp->port);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny1	Thu Sep 16 04:41:07 2010	(r16288)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny1	Thu Sep 16 04:41:24 2010	(r16289)
@@ -1,2 +1,3 @@
 + bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
 + bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch
++ bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch

