ACK: [SRU][T][PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c

Tyler Hicks tyhicks at canonical.com
Mon Feb 18 15:35:10 UTC 2019 

I forgot to adjust the subject line to indicate that I'm acking the
patch. This reply has the adjusted subject line.

Tyler

On 2019-02-18 16:32:44, Tyler Hicks wrote:
> On 2019-02-18 22:49:58, Hui Wang wrote:
> > From: Hui Peng <benquike at gmail.com>
> > 
> > If a USB sound card reports 0 interfaces, an error condition is triggered
> > and the function usb_audio_probe errors out. In the error path, there was a
> > use-after-free vulnerability where the memory object of the card was first
> > freed, followed by a decrement of the number of active chips. Moving the
> > decrement above the atomic_dec fixes the UAF.
> > 
> > [ The original problem was introduced in 3.1 kernel, while it was
> >   developed in a different form.  The Fixes tag below indicates the
> >   original commit but it doesn't mean that the patch is applicable
> >   cleanly. -- tiwai ]
> > 
> > Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
> > Reported-by: Hui Peng <benquike at gmail.com>
> > Reported-by: Mathias Payer <mathias.payer at nebelwelt.net>
> > Signed-off-by: Hui Peng <benquike at gmail.com>
> > Signed-off-by: Mathias Payer <mathias.payer at nebelwelt.net>
> > Cc: <stable at vger.kernel.org>
> > Signed-off-by: Takashi Iwai <tiwai at suse.de>
> > 
> > CVE-2018-19824
> > 
> > (backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b)
> > Signed-off-by: Hui Wang <hui.wang at canonical.com>
> 
> This is a low risk change. It required a backport but you've got a good
> understanding of the problem and what's required of the backport.
> 
> Acked-by: Tyler Hicks <tyhicks at canonical.com>
> 
> Thanks for working on this!
> 
> Tyler
> 
> > ---
> >  sound/usb/card.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/sound/usb/card.c b/sound/usb/card.c
> > index 75b1040ef3bb..dfbd152c0962 100644
> > --- a/sound/usb/card.c
> > +++ b/sound/usb/card.c
> > @@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev,
> >  
> >   __error:
> >  	if (chip) {
> > +		/* chip->probing is inside the chip->card object,
> > +		 * set the value before memory is possibly returned.
> > +		 */
> > +		chip->probing = 0;
> >  		if (!chip->num_interfaces)
> >  			snd_card_free(chip->card);
> > -		chip->probing = 0;
> >  	}
> >  	mutex_unlock(&register_mutex);
> >   __err_val:
> > -- 
> > 2.17.1
> > 
> > 
> > -- 
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list