[SRU,T] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
diff mbox series

Message ID 20190218144958.7217-3-hui.wang@canonical.com
State New
Headers show
Series
  • [SRU,T] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
Related show

Commit Message

Hui Wang Feb. 18, 2019, 2:49 p.m. UTC
From: Hui Peng <benquike@gmail.com>

If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.

[ The original problem was introduced in 3.1 kernel, while it was
  developed in a different form.  The Fixes tag below indicates the
  original commit but it doesn't mean that the patch is applicable
  cleanly. -- tiwai ]

Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

CVE-2018-19824

(backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b)
Signed-off-by: Hui Wang <hui.wang@canonical.com>
---
 sound/usb/card.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Tyler Hicks Feb. 18, 2019, 3:32 p.m. UTC | #1
On 2019-02-18 22:49:58, Hui Wang wrote:
> From: Hui Peng <benquike@gmail.com>
> 
> If a USB sound card reports 0 interfaces, an error condition is triggered
> and the function usb_audio_probe errors out. In the error path, there was a
> use-after-free vulnerability where the memory object of the card was first
> freed, followed by a decrement of the number of active chips. Moving the
> decrement above the atomic_dec fixes the UAF.
> 
> [ The original problem was introduced in 3.1 kernel, while it was
>   developed in a different form.  The Fixes tag below indicates the
>   original commit but it doesn't mean that the patch is applicable
>   cleanly. -- tiwai ]
> 
> Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Signed-off-by: Hui Peng <benquike@gmail.com>
> Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> 
> CVE-2018-19824
> 
> (backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b)
> Signed-off-by: Hui Wang <hui.wang@canonical.com>

This is a low risk change. It required a backport but you've got a good
understanding of the problem and what's required of the backport.

Acked-by: Tyler Hicks <tyhicks@canonical.com>

Thanks for working on this!

Tyler

> ---
>  sound/usb/card.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/usb/card.c b/sound/usb/card.c
> index 75b1040ef3bb..dfbd152c0962 100644
> --- a/sound/usb/card.c
> +++ b/sound/usb/card.c
> @@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev,
>  
>   __error:
>  	if (chip) {
> +		/* chip->probing is inside the chip->card object,
> +		 * set the value before memory is possibly returned.
> +		 */
> +		chip->probing = 0;
>  		if (!chip->num_interfaces)
>  			snd_card_free(chip->card);
> -		chip->probing = 0;
>  	}
>  	mutex_unlock(&register_mutex);
>   __err_val:
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Tyler Hicks Feb. 18, 2019, 3:35 p.m. UTC | #2
I forgot to adjust the subject line to indicate that I'm acking the
patch. This reply has the adjusted subject line.

Tyler

On 2019-02-18 16:32:44, Tyler Hicks wrote:
> On 2019-02-18 22:49:58, Hui Wang wrote:
> > From: Hui Peng <benquike@gmail.com>
> > 
> > If a USB sound card reports 0 interfaces, an error condition is triggered
> > and the function usb_audio_probe errors out. In the error path, there was a
> > use-after-free vulnerability where the memory object of the card was first
> > freed, followed by a decrement of the number of active chips. Moving the
> > decrement above the atomic_dec fixes the UAF.
> > 
> > [ The original problem was introduced in 3.1 kernel, while it was
> >   developed in a different form.  The Fixes tag below indicates the
> >   original commit but it doesn't mean that the patch is applicable
> >   cleanly. -- tiwai ]
> > 
> > Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
> > Reported-by: Hui Peng <benquike@gmail.com>
> > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> > Signed-off-by: Hui Peng <benquike@gmail.com>
> > Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > 
> > CVE-2018-19824
> > 
> > (backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b)
> > Signed-off-by: Hui Wang <hui.wang@canonical.com>
> 
> This is a low risk change. It required a backport but you've got a good
> understanding of the problem and what's required of the backport.
> 
> Acked-by: Tyler Hicks <tyhicks@canonical.com>
> 
> Thanks for working on this!
> 
> Tyler
> 
> > ---
> >  sound/usb/card.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/sound/usb/card.c b/sound/usb/card.c
> > index 75b1040ef3bb..dfbd152c0962 100644
> > --- a/sound/usb/card.c
> > +++ b/sound/usb/card.c
> > @@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev,
> >  
> >   __error:
> >  	if (chip) {
> > +		/* chip->probing is inside the chip->card object,
> > +		 * set the value before memory is possibly returned.
> > +		 */
> > +		chip->probing = 0;
> >  		if (!chip->num_interfaces)
> >  			snd_card_free(chip->card);
> > -		chip->probing = 0;
> >  	}
> >  	mutex_unlock(&register_mutex);
> >   __err_val:
> > -- 
> > 2.17.1
> > 
> > 
> > -- 
> > kernel-team mailing list
> > kernel-team@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Thadeu Lima de Souza Cascardo Feb. 22, 2019, 8:04 a.m. UTC | #3
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Stefan Bader March 1, 2019, 2:04 p.m. UTC | #4
On 18.02.19 15:49, Hui Wang wrote:
> From: Hui Peng <benquike@gmail.com>
> 
> If a USB sound card reports 0 interfaces, an error condition is triggered
> and the function usb_audio_probe errors out. In the error path, there was a
> use-after-free vulnerability where the memory object of the card was first
> freed, followed by a decrement of the number of active chips. Moving the
> decrement above the atomic_dec fixes the UAF.
> 
> [ The original problem was introduced in 3.1 kernel, while it was
>   developed in a different form.  The Fixes tag below indicates the
>   original commit but it doesn't mean that the patch is applicable
>   cleanly. -- tiwai ]
> 
> Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
> Reported-by: Hui Peng <benquike@gmail.com>
> Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Signed-off-by: Hui Peng <benquike@gmail.com>
> Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> 
> CVE-2018-19824
> 
> (backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b)
> Signed-off-by: Hui Wang <hui.wang@canonical.com>
> ---

Applied to trusty/master-next. Thanks.

-Stefan

>  sound/usb/card.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/usb/card.c b/sound/usb/card.c
> index 75b1040ef3bb..dfbd152c0962 100644
> --- a/sound/usb/card.c
> +++ b/sound/usb/card.c
> @@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev,
>  
>   __error:
>  	if (chip) {
> +		/* chip->probing is inside the chip->card object,
> +		 * set the value before memory is possibly returned.
> +		 */
> +		chip->probing = 0;
>  		if (!chip->num_interfaces)
>  			snd_card_free(chip->card);
> -		chip->probing = 0;
>  	}
>  	mutex_unlock(&register_mutex);
>   __err_val:
>

Patch
diff mbox series

diff --git a/sound/usb/card.c b/sound/usb/card.c
index 75b1040ef3bb..dfbd152c0962 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -588,9 +588,12 @@  snd_usb_audio_probe(struct usb_device *dev,
 
  __error:
 	if (chip) {
+		/* chip->probing is inside the chip->card object,
+		 * set the value before memory is possibly returned.
+		 */
+		chip->probing = 0;
 		if (!chip->num_interfaces)
 			snd_card_free(chip->card);
-		chip->probing = 0;
 	}
 	mutex_unlock(&register_mutex);
  __err_val: