diff --git a/debian/changelog b/debian/changelog index 412c0e2db..13d6522a1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -111,6 +111,7 @@ linux (4.14.14-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * loop: fix concurrent lo_open/lo_release (CVE-2018-5344) + * ALSA: seq: Make ioctls race-free (CVE-2018-1000004) [ Ben Hutchings ] * bpf: Avoid ABI change in 4.14.14 diff --git a/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch b/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch new file mode 100644 index 000000000..9f3b21507 --- /dev/null +++ b/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch @@ -0,0 +1,64 @@ +From: Takashi Iwai +Date: Tue, 9 Jan 2018 23:11:03 +0100 +Subject: ALSA: seq: Make ioctls race-free +Origin: https://git.kernel.org/linus/b3defb791b26ea0683a93a4f49c77ec45ec96f10 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000004 + +The ALSA sequencer ioctls have no protection against racy calls while +the concurrent operations may lead to interfere with each other. As +reported recently, for example, the concurrent calls of setting client +pool with a combination of write calls may lead to either the +unkillable dead-lock or UAF. + +As a slightly big hammer solution, this patch introduces the mutex to +make each ioctl exclusive. Although this may reduce performance via +parallel ioctl calls, usually it's not demanded for sequencer usages, +hence it should be negligible. + +Reported-by: Luo Quan +Reviewed-by: Kees Cook +Reviewed-by: Greg Kroah-Hartman +Cc: +Signed-off-by: Takashi Iwai +--- + sound/core/seq/seq_clientmgr.c | 3 +++ + sound/core/seq/seq_clientmgr.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 6e22eea72654..d01913404581 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize) + rwlock_init(&client->ports_lock); + mutex_init(&client->ports_mutex); + INIT_LIST_HEAD(&client->ports_list_head); ++ mutex_init(&client->ioctl_mutex); + + /* find free slot in the client table */ + spin_lock_irqsave(&clients_lock, flags); +@@ -2130,7 +2131,9 @@ static long snd_seq_ioctl(struct file *file, unsigned int cmd, + return -EFAULT; + } + ++ mutex_lock(&client->ioctl_mutex); + err = handler->func(client, &buf); ++ mutex_unlock(&client->ioctl_mutex); + if (err >= 0) { + /* Some commands includes a bug in 'dir' field. */ + if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT || +diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h +index c6614254ef8a..0611e1e0ed5b 100644 +--- a/sound/core/seq/seq_clientmgr.h ++++ b/sound/core/seq/seq_clientmgr.h +@@ -61,6 +61,7 @@ struct snd_seq_client { + struct list_head ports_list_head; + rwlock_t ports_lock; + struct mutex ports_mutex; ++ struct mutex ioctl_mutex; + int convert32; /* convert 32->64bit */ + + /* output pool */ +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index 6b7526171..968622e91 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -126,6 +126,7 @@ bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch +bugfix/all/alsa-seq-make-ioctls-race-free.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch