[linux] 01/01: ALSA: seq: Fix racy pool initializations (CVE-2018-7566)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Mar 9 10:55:22 UTC 2018 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 5bd62d635738d53586acd844c5e81ba6cbfb5755
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Fri Mar 9 11:53:25 2018 +0100

    ALSA: seq: Fix racy pool initializations (CVE-2018-7566)
---
 debian/changelog                                   |  1 +
 .../ALSA-seq-Fix-racy-pool-initializations.patch   | 63 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 65 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index cb56695..cd51e1c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 linux (4.15.4-2) UNRELEASED; urgency=medium
 
   * Add ABI reference for 4.15.0-1
+  * ALSA: seq: Fix racy pool initializations (CVE-2018-7566)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 20 Feb 2018 21:51:39 +0100
 
diff --git a/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch b/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch
new file mode 100644
index 0000000..130984e
--- /dev/null
+++ b/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch
@@ -0,0 +1,63 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Mon, 12 Feb 2018 15:20:51 +0100
+Subject: ALSA: seq: Fix racy pool initializations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/3b8e84c8373de4e068e282102425d498d992e49b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7566
+
+commit d15d662e89fc667b90cd294b0eb45694e33144da upstream.
+
+ALSA sequencer core initializes the event pool on demand by invoking
+snd_seq_pool_init() when the first write happens and the pool is
+empty.  Meanwhile user can reset the pool size manually via ioctl
+concurrently, and this may lead to UAF or out-of-bound accesses since
+the function tries to vmalloc / vfree the buffer.
+
+A simple fix is to just wrap the snd_seq_pool_init() call with the
+recently introduced client->ioctl_mutex; as the calls for
+snd_seq_pool_init() from other side are always protected with this
+mutex, we can avoid the race.
+
+Reported-by: 范龙飞 <long7573 at 126.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ sound/core/seq/seq_clientmgr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index d01913404581..a42cbbf2c8d9 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1003,7 +1003,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
+ {
+ 	struct snd_seq_client *client = file->private_data;
+ 	int written = 0, len;
+-	int err = -EINVAL;
++	int err;
+ 	struct snd_seq_event event;
+ 
+ 	if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
+@@ -1018,11 +1018,15 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
+ 
+ 	/* allocate the pool now if the pool is not allocated yet */ 
+ 	if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
+-		if (snd_seq_pool_init(client->pool) < 0)
++		mutex_lock(&client->ioctl_mutex);
++		err = snd_seq_pool_init(client->pool);
++		mutex_unlock(&client->ioctl_mutex);
++		if (err < 0)
+ 			return -ENOMEM;
+ 	}
+ 
+ 	/* only process whole events */
++	err = -EINVAL;
+ 	while (count >= sizeof(struct snd_seq_event)) {
+ 		/* Read in the event header from the user */
+ 		len = sizeof(event);
+-- 
+2.16.2
+
diff --git a/debian/patches/series b/debian/patches/series
index cf0df77..729b1a0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -119,6 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list