Message ID | 20190218144958.7217-3-hui.wang@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,T] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c | expand |
On 2019-02-18 22:49:58, Hui Wang wrote: > From: Hui Peng <benquike@gmail.com> > > If a USB sound card reports 0 interfaces, an error condition is triggered > and the function usb_audio_probe errors out. In the error path, there was a > use-after-free vulnerability where the memory object of the card was first > freed, followed by a decrement of the number of active chips. Moving the > decrement above the atomic_dec fixes the UAF. > > [ The original problem was introduced in 3.1 kernel, while it was > developed in a different form. The Fixes tag below indicates the > original commit but it doesn't mean that the patch is applicable > cleanly. -- tiwai ] > > Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit") > Reported-by: Hui Peng <benquike@gmail.com> > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> > Signed-off-by: Hui Peng <benquike@gmail.com> > Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > CVE-2018-19824 > > (backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b) > Signed-off-by: Hui Wang <hui.wang@canonical.com> This is a low risk change. It required a backport but you've got a good understanding of the problem and what's required of the backport. Acked-by: Tyler Hicks <tyhicks@canonical.com> Thanks for working on this! Tyler > --- > sound/usb/card.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/sound/usb/card.c b/sound/usb/card.c > index 75b1040ef3bb..dfbd152c0962 100644 > --- a/sound/usb/card.c > +++ b/sound/usb/card.c > @@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev, > > __error: > if (chip) { > + /* chip->probing is inside the chip->card object, > + * set the value before memory is possibly returned. > + */ > + chip->probing = 0; > if (!chip->num_interfaces) > snd_card_free(chip->card); > - chip->probing = 0; > } > mutex_unlock(®ister_mutex); > __err_val: > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
I forgot to adjust the subject line to indicate that I'm acking the patch. This reply has the adjusted subject line. Tyler On 2019-02-18 16:32:44, Tyler Hicks wrote: > On 2019-02-18 22:49:58, Hui Wang wrote: > > From: Hui Peng <benquike@gmail.com> > > > > If a USB sound card reports 0 interfaces, an error condition is triggered > > and the function usb_audio_probe errors out. In the error path, there was a > > use-after-free vulnerability where the memory object of the card was first > > freed, followed by a decrement of the number of active chips. Moving the > > decrement above the atomic_dec fixes the UAF. > > > > [ The original problem was introduced in 3.1 kernel, while it was > > developed in a different form. The Fixes tag below indicates the > > original commit but it doesn't mean that the patch is applicable > > cleanly. -- tiwai ] > > > > Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit") > > Reported-by: Hui Peng <benquike@gmail.com> > > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> > > Signed-off-by: Hui Peng <benquike@gmail.com> > > Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> > > Cc: <stable@vger.kernel.org> > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > > > CVE-2018-19824 > > > > (backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b) > > Signed-off-by: Hui Wang <hui.wang@canonical.com> > > This is a low risk change. It required a backport but you've got a good > understanding of the problem and what's required of the backport. > > Acked-by: Tyler Hicks <tyhicks@canonical.com> > > Thanks for working on this! > > Tyler > > > --- > > sound/usb/card.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/sound/usb/card.c b/sound/usb/card.c > > index 75b1040ef3bb..dfbd152c0962 100644 > > --- a/sound/usb/card.c > > +++ b/sound/usb/card.c > > @@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev, > > > > __error: > > if (chip) { > > + /* chip->probing is inside the chip->card object, > > + * set the value before memory is possibly returned. > > + */ > > + chip->probing = 0; > > if (!chip->num_interfaces) > > snd_card_free(chip->card); > > - chip->probing = 0; > > } > > mutex_unlock(®ister_mutex); > > __err_val: > > -- > > 2.17.1 > > > > > > -- > > kernel-team mailing list > > kernel-team@lists.ubuntu.com > > https://lists.ubuntu.com/mailman/listinfo/kernel-team > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
On 18.02.19 15:49, Hui Wang wrote: > From: Hui Peng <benquike@gmail.com> > > If a USB sound card reports 0 interfaces, an error condition is triggered > and the function usb_audio_probe errors out. In the error path, there was a > use-after-free vulnerability where the memory object of the card was first > freed, followed by a decrement of the number of active chips. Moving the > decrement above the atomic_dec fixes the UAF. > > [ The original problem was introduced in 3.1 kernel, while it was > developed in a different form. The Fixes tag below indicates the > original commit but it doesn't mean that the patch is applicable > cleanly. -- tiwai ] > > Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit") > Reported-by: Hui Peng <benquike@gmail.com> > Reported-by: Mathias Payer <mathias.payer@nebelwelt.net> > Signed-off-by: Hui Peng <benquike@gmail.com> > Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> > Cc: <stable@vger.kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > CVE-2018-19824 > > (backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b) > Signed-off-by: Hui Wang <hui.wang@canonical.com> > --- Applied to trusty/master-next. Thanks. -Stefan > sound/usb/card.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/sound/usb/card.c b/sound/usb/card.c > index 75b1040ef3bb..dfbd152c0962 100644 > --- a/sound/usb/card.c > +++ b/sound/usb/card.c > @@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev, > > __error: > if (chip) { > + /* chip->probing is inside the chip->card object, > + * set the value before memory is possibly returned. > + */ > + chip->probing = 0; > if (!chip->num_interfaces) > snd_card_free(chip->card); > - chip->probing = 0; > } > mutex_unlock(®ister_mutex); > __err_val: >
diff --git a/sound/usb/card.c b/sound/usb/card.c index 75b1040ef3bb..dfbd152c0962 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev, __error: if (chip) { + /* chip->probing is inside the chip->card object, + * set the value before memory is possibly returned. + */ + chip->probing = 0; if (!chip->num_interfaces) snd_card_free(chip->card); - chip->probing = 0; } mutex_unlock(®ister_mutex); __err_val: