[0/2,SRU,X] CVE-2018-20961: USB Gadget MIDI Function UAF
mbox series

Message ID 20190814232145.5623-1-tyhicks@canonical.com
Headers show
Series
  • CVE-2018-20961: USB Gadget MIDI Function UAF
Related show

Message

Tyler Hicks Aug. 14, 2019, 11:21 p.m. UTC
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html

 In the Linux kernel before 4.16.4, a double free vulnerability in the
 f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the
 f_midi driver may allow attackers to cause a denial of service or
 possibly have unspecified other impact.

Clean cherry picks. I'm unable to test without appropriate hardware but
the the build logs are clean and a test kernel boots without any issues.

The first patch isn't necessarily required for the CVE fix but the error
path doesn't work correctly without it. I think it is safe and
worthwhile to bring back with the CVE fix.

Tyler

Felipe F. Tonello (1):
  usb: gadget: f_midi: fail if set_alt fails to allocate requests

Yavuz, Tuba (1):
  USB: gadget: f_midi: fixing a possible double-free in f_midi

 drivers/usb/gadget/function/f_midi.c | 6 ++++--
 drivers/usb/gadget/u_f.h             | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

Comments

Connor Kuehl Aug. 15, 2019, 5:24 p.m. UTC | #1
On 8/14/19 4:21 PM, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html
> 
>   In the Linux kernel before 4.16.4, a double free vulnerability in the
>   f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the
>   f_midi driver may allow attackers to cause a denial of service or
>   possibly have unspecified other impact.
> 
> Clean cherry picks. I'm unable to test without appropriate hardware but
> the the build logs are clean and a test kernel boots without any issues.
> 
> The first patch isn't necessarily required for the CVE fix but the error
> path doesn't work correctly without it. I think it is safe and
> worthwhile to bring back with the CVE fix.
> 
> Tyler
> 
> Felipe F. Tonello (1):
>    usb: gadget: f_midi: fail if set_alt fails to allocate requests
> 
> Yavuz, Tuba (1):
>    USB: gadget: f_midi: fixing a possible double-free in f_midi
> 
>   drivers/usb/gadget/function/f_midi.c | 6 ++++--
>   drivers/usb/gadget/u_f.h             | 2 ++
>   2 files changed, 6 insertions(+), 2 deletions(-)
> 

Acked-by: Connor Kuehl <connor.kuehl@canonical.com>
Stefan Bader Aug. 26, 2019, 2:16 p.m. UTC | #2
On 15.08.19 01:21, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html
> 
>  In the Linux kernel before 4.16.4, a double free vulnerability in the
>  f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the
>  f_midi driver may allow attackers to cause a denial of service or
>  possibly have unspecified other impact.
> 
> Clean cherry picks. I'm unable to test without appropriate hardware but
> the the build logs are clean and a test kernel boots without any issues.
> 
> The first patch isn't necessarily required for the CVE fix but the error
> path doesn't work correctly without it. I think it is safe and
> worthwhile to bring back with the CVE fix.
> 
> Tyler
> 
> Felipe F. Tonello (1):
>   usb: gadget: f_midi: fail if set_alt fails to allocate requests
> 
> Yavuz, Tuba (1):
>   USB: gadget: f_midi: fixing a possible double-free in f_midi
> 
>  drivers/usb/gadget/function/f_midi.c | 6 ++++--
>  drivers/usb/gadget/u_f.h             | 2 ++
>  2 files changed, 6 insertions(+), 2 deletions(-)
> 
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Kleber Souza Sept. 3, 2019, 1:14 p.m. UTC | #3
On 8/15/19 1:21 AM, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html
> 
>  In the Linux kernel before 4.16.4, a double free vulnerability in the
>  f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the
>  f_midi driver may allow attackers to cause a denial of service or
>  possibly have unspecified other impact.
> 
> Clean cherry picks. I'm unable to test without appropriate hardware but
> the the build logs are clean and a test kernel boots without any issues.
> 
> The first patch isn't necessarily required for the CVE fix but the error
> path doesn't work correctly without it. I think it is safe and
> worthwhile to bring back with the CVE fix.
> 
> Tyler
> 
> Felipe F. Tonello (1):
>   usb: gadget: f_midi: fail if set_alt fails to allocate requests
> 
> Yavuz, Tuba (1):
>   USB: gadget: f_midi: fixing a possible double-free in f_midi
> 
>  drivers/usb/gadget/function/f_midi.c | 6 ++++--
>  drivers/usb/gadget/u_f.h             | 2 ++
>  2 files changed, 6 insertions(+), 2 deletions(-)
> 

Applied to xenial/master-next branch.

Thanks,
Kleber