diff --git a/debian/changelog b/debian/changelog index cb56695a0..cd51e1c61 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ linux (4.15.4-2) UNRELEASED; urgency=medium * Add ABI reference for 4.15.0-1 + * ALSA: seq: Fix racy pool initializations (CVE-2018-7566) -- Salvatore Bonaccorso Tue, 20 Feb 2018 21:51:39 +0100 diff --git a/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch b/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch new file mode 100644 index 000000000..130984ed5 --- /dev/null +++ b/debian/patches/bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch @@ -0,0 +1,63 @@ +From: Takashi Iwai +Date: Mon, 12 Feb 2018 15:20:51 +0100 +Subject: ALSA: seq: Fix racy pool initializations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/linus/3b8e84c8373de4e068e282102425d498d992e49b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-7566 + +commit d15d662e89fc667b90cd294b0eb45694e33144da upstream. + +ALSA sequencer core initializes the event pool on demand by invoking +snd_seq_pool_init() when the first write happens and the pool is +empty. Meanwhile user can reset the pool size manually via ioctl +concurrently, and this may lead to UAF or out-of-bound accesses since +the function tries to vmalloc / vfree the buffer. + +A simple fix is to just wrap the snd_seq_pool_init() call with the +recently introduced client->ioctl_mutex; as the calls for +snd_seq_pool_init() from other side are always protected with this +mutex, we can avoid the race. + +Reported-by: 范龙飞 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_clientmgr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index d01913404581..a42cbbf2c8d9 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1003,7 +1003,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, + { + struct snd_seq_client *client = file->private_data; + int written = 0, len; +- int err = -EINVAL; ++ int err; + struct snd_seq_event event; + + if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT)) +@@ -1018,11 +1018,15 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf, + + /* allocate the pool now if the pool is not allocated yet */ + if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) { +- if (snd_seq_pool_init(client->pool) < 0) ++ mutex_lock(&client->ioctl_mutex); ++ err = snd_seq_pool_init(client->pool); ++ mutex_unlock(&client->ioctl_mutex); ++ if (err < 0) + return -ENOMEM; + } + + /* only process whole events */ ++ err = -EINVAL; + while (count >= sizeof(struct snd_seq_event)) { + /* Read in the event header from the user */ + len = sizeof(event); +-- +2.16.2 + diff --git a/debian/patches/series b/debian/patches/series index cf0df77a9..729b1a0e9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -119,6 +119,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/ALSA-seq-Fix-racy-pool-initializations.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch