d513484f62
CVE-2014-9900: net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() CVE-2017-7346: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() CVE-2017-9605: drm/vmwgfx: Make sure backup_handle is always valid CVE-2017-1000380: * ALSA: timer: Fix race between read and ioctl * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
67 lines
2.5 KiB
Diff
67 lines
2.5 KiB
Diff
From 993c7c14bbc4bf51025bb5c83c1c130417e0e823 Mon Sep 17 00:00:00 2001
|
|
From: Takashi Iwai <tiwai@suse.de>
|
|
Date: Wed, 21 Jun 2017 18:56:02 +0200
|
|
Subject: [PATCH 2/5] ALSA: timer: Fix missing queue indices reset at
|
|
SNDRV_TIMER_IOCTL_SELECT
|
|
|
|
snd_timer_user_tselect() reallocates the queue buffer dynamically, but
|
|
it forgot to reset its indices. Since the read may happen
|
|
concurrently with ioctl and snd_timer_user_tselect() allocates the
|
|
buffer via kmalloc(), this may lead to the leak of uninitialized
|
|
kernel-space data, as spotted via KMSAN:
|
|
|
|
BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
|
|
CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
|
|
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
|
|
Call Trace:
|
|
__dump_stack lib/dump_stack.c:16
|
|
dump_stack+0x143/0x1b0 lib/dump_stack.c:52
|
|
kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
|
|
kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
|
|
copy_to_user ./arch/x86/include/asm/uaccess.h:725
|
|
snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
|
|
do_loop_readv_writev fs/read_write.c:716
|
|
__do_readv_writev+0x94c/0x1380 fs/read_write.c:864
|
|
do_readv_writev fs/read_write.c:894
|
|
vfs_readv fs/read_write.c:908
|
|
do_readv+0x52a/0x5d0 fs/read_write.c:934
|
|
SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
|
|
SyS_readv+0x87/0xb0 fs/read_write.c:1018
|
|
|
|
This patch adds the missing reset of queue indices. Together with the
|
|
previous fix for the ioctl/read race, we cover the whole problem.
|
|
|
|
Reported-by: Alexander Potapenko <glider@google.com>
|
|
Tested-by: Alexander Potapenko <glider@google.com>
|
|
Cc: <stable@vger.kernel.org>
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
|
|
CVE-2017-1000380
|
|
|
|
(cherry-picked from commit ba3021b2c79b2fa9114f92790a99deb27a65b728)
|
|
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
|
Acked-by: Seth Forshee <seth.forshee@canonical.com>
|
|
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
|
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
|
|
|
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
|
---
|
|
sound/core/timer.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/sound/core/timer.c b/sound/core/timer.c
|
|
index 3c11a6983f54..e5ddc475dca4 100644
|
|
--- a/sound/core/timer.c
|
|
+++ b/sound/core/timer.c
|
|
@@ -1622,6 +1622,7 @@ static int snd_timer_user_tselect(struct file *file,
|
|
if (err < 0)
|
|
goto __err;
|
|
|
|
+ tu->qhead = tu->qtail = tu->qused = 0;
|
|
kfree(tu->queue);
|
|
tu->queue = NULL;
|
|
kfree(tu->tqueue);
|
|
--
|
|
2.11.0
|
|
|