From patchwork Wed Aug 14 23:21:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Hicks X-Patchwork-Id: 1147283 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4685Fl2kZcz9sNk; Thu, 15 Aug 2019 09:22:03 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hy2ab-0004oj-39; Wed, 14 Aug 2019 23:21:57 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hy2aZ-0004od-Mn for kernel-team@lists.ubuntu.com; Wed, 14 Aug 2019 23:21:55 +0000 Received: from 2.general.tyhicks.us.vpn ([10.172.64.53] helo=sec-upgrade.work.tihix.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1hy2aZ-0007tT-6S; Wed, 14 Aug 2019 23:21:55 +0000 From: Tyler Hicks To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/2][SRU][X] CVE-2018-20961: USB Gadget MIDI Function UAF Date: Wed, 14 Aug 2019 23:21:43 +0000 Message-Id: <20190814232145.5623-1-tyhicks@canonical.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact. Clean cherry picks. I'm unable to test without appropriate hardware but the the build logs are clean and a test kernel boots without any issues. The first patch isn't necessarily required for the CVE fix but the error path doesn't work correctly without it. I think it is safe and worthwhile to bring back with the CVE fix. Tyler Felipe F. Tonello (1): usb: gadget: f_midi: fail if set_alt fails to allocate requests Yavuz, Tuba (1): USB: gadget: f_midi: fixing a possible double-free in f_midi drivers/usb/gadget/function/f_midi.c | 6 ++++-- drivers/usb/gadget/u_f.h | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) Acked-by: Connor Kuehl Acked-by: Stefan Bader