| Message ID | 20190218144958.7217-2-hui.wang@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,B/C] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c | expand |
On 2019-02-18 22:49:57, Hui Wang wrote: > From: Hui Peng <benquike@gmail.com> > > If a USB sound card reports 0 interfaces, an error condition is triggered > and the function usb_audio_probe errors out. In the error path, there was a > use-after-free vulnerability where the memory object of the card was first > freed, followed by a decrement of the number of active chips. Moving the > decrement above the atomic_dec fixes the UAF. > > [ The original problem was introduced in 3.1 kernel, while it was > developed in a different form. The Fixes tag below indicates the > original commit but it doesn't mean that the patch is applicable > cleanly. -- tiwai ] > > Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit") > Reported-by: Hui Peng <benquike@gmail.com> > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> > Signed-off-by: Hui Peng <benquike@gmail.com> > Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > CVE-2018-19824 > > (cherry picked from commit 5f8cf712582617d523120df67d392059eaf2fc4b) > Signed-off-by: Hui Wang <hui.wang@canonical.com> This is a low risk change that cherry picks cleanly. Acked-by: Tyler Hicks <tyhicks@canonical.com> Thanks for working on this! Tyler > --- > sound/usb/card.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/sound/usb/card.c b/sound/usb/card.c > index 3ffb8e5aa50c..9ba2dcc0a326 100644 > --- a/sound/usb/card.c > +++ b/sound/usb/card.c > @@ -672,9 +672,12 @@ static int usb_audio_probe(struct usb_interface *intf, > > __error: > if (chip) { > + /* chip->active is inside the chip->card object, > + * decrement before memory is possibly returned. > + */ > + atomic_dec(&chip->active); > if (!chip->num_interfaces) > snd_card_free(chip->card); > - atomic_dec(&chip->active); > } > mutex_unlock(®ister_mutex); > return err; > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
On 18.02.19 15:49, Hui Wang wrote: > From: Hui Peng <benquike@gmail.com> > > If a USB sound card reports 0 interfaces, an error condition is triggered > and the function usb_audio_probe errors out. In the error path, there was a > use-after-free vulnerability where the memory object of the card was first > freed, followed by a decrement of the number of active chips. Moving the > decrement above the atomic_dec fixes the UAF. > > [ The original problem was introduced in 3.1 kernel, while it was > developed in a different form. The Fixes tag below indicates the > original commit but it doesn't mean that the patch is applicable > cleanly. -- tiwai ] > > Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit") > Reported-by: Hui Peng <benquike@gmail.com> > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> > Signed-off-by: Hui Peng <benquike@gmail.com> > Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > CVE-2018-19824 > > (cherry picked from commit 5f8cf712582617d523120df67d392059eaf2fc4b) > Signed-off-by: Hui Wang <hui.wang@canonical.com> > --- Applied to bionic,cosmic/master-next. Thanks. -Stefan > sound/usb/card.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/sound/usb/card.c b/sound/usb/card.c > index 3ffb8e5aa50c..9ba2dcc0a326 100644 > --- a/sound/usb/card.c > +++ b/sound/usb/card.c > @@ -672,9 +672,12 @@ static int usb_audio_probe(struct usb_interface *intf, > > __error: > if (chip) { > + /* chip->active is inside the chip->card object, > + * decrement before memory is possibly returned. > + */ > + atomic_dec(&chip->active); > if (!chip->num_interfaces) > snd_card_free(chip->card); > - atomic_dec(&chip->active); > } > mutex_unlock(®ister_mutex); > return err; >
diff --git a/sound/usb/card.c b/sound/usb/card.c index 3ffb8e5aa50c..9ba2dcc0a326 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -672,9 +672,12 @@ static int usb_audio_probe(struct usb_interface *intf, __error: if (chip) { + /* chip->active is inside the chip->card object, + * decrement before memory is possibly returned. + */ + atomic_dec(&chip->active); if (!chip->num_interfaces) snd_card_free(chip->card); - atomic_dec(&chip->active); } mutex_unlock(®ister_mutex); return err;