[kernel] r16289 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Sep 16 04:41:28 UTC 2010
Author: dannf
Date: Thu Sep 16 04:41:24 2010
New Revision: 16289
Log:
ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() (CVE-2010-3080)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Sep 16 04:41:07 2010 (r16288)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Sep 16 04:41:24 2010 (r16289)
@@ -4,6 +4,8 @@
(CVE-2010-2954)
* compat: Make compat_alloc_user_space() incorporate the access_ok()
(CVE-2010-3081)
+ * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
+ (CVE-2010-3080)
-- dann frazier <dannf at debian.org> Thu, 09 Sep 2010 19:11:27 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch Thu Sep 16 04:41:24 2010 (r16289)
@@ -0,0 +1,51 @@
+commit d05884ad376194189162c72b060d02024abfdcf6
+Author: Takashi Iwai <tiwai at suse.de>
+Date: Mon Sep 6 09:13:45 2010 +0200
+
+ ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
+
+ The error handling in snd_seq_oss_open() has several bad codes that
+ do dereferecing released pointers and double-free of kmalloc'ed data.
+ The object dp is release in free_devinfo() that is called via
+ private_free callback. The rest shouldn't touch this object any more.
+
+ The patch changes delete_port() to call kfree() in any case, and gets
+ rid of unnecessary calls of destructors in snd_seq_oss_open().
+
+ Fixes CVE-2010-3080.
+
+ Reported-and-tested-by: Tavis Ormandy <taviso at cmpxchg8b.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
+index d0d721c..1f133fe 100644
+--- a/sound/core/seq/oss/seq_oss_init.c
++++ b/sound/core/seq/oss/seq_oss_init.c
+@@ -280,13 +280,10 @@ snd_seq_oss_open(struct file *file, int level)
+ return 0;
+
+ _error:
+- snd_seq_oss_writeq_delete(dp->writeq);
+- snd_seq_oss_readq_delete(dp->readq);
+ snd_seq_oss_synth_cleanup(dp);
+ snd_seq_oss_midi_cleanup(dp);
+- delete_port(dp);
+ delete_seq_queue(dp->queue);
+- kfree(dp);
++ delete_port(dp);
+
+ return rc;
+ }
+@@ -349,8 +346,10 @@ create_port(struct seq_oss_devinfo *dp)
+ static int
+ delete_port(struct seq_oss_devinfo *dp)
+ {
+- if (dp->port < 0)
++ if (dp->port < 0) {
++ kfree(dp);
+ return 0;
++ }
+
+ debug_printk(("delete_port %i\n", dp->port));
+ return snd_seq_event_port_detach(dp->cseq, dp->port);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny1 Thu Sep 16 04:41:07 2010 (r16288)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny1 Thu Sep 16 04:41:24 2010 (r16289)
@@ -1,2 +1,3 @@
+ bugfix/all/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
+ bugfix/all/compat-make-compat_alloc_user_space-incorporate-the_access_ok.patch
++ bugfix/all/alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch
More information about the Kernel-svn-changes
mailing list