[linux] 03/03: ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Dec 28 22:23:29 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 8962c925c8c679d8bafdf1aac74254e23ce0d3f8
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Dec 28 21:57:42 2016 +0000
ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
---
debian/changelog | 1 +
.../alsa-pcm-call-kill_fasync-in-stream-lock.patch | 43 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 45 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index a18c535..91fd35e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -115,6 +115,7 @@ linux (3.2.84-1) UNRELEASED; urgency=medium
(CVE-2016-9576)
* [x86] Fix potential infoleak in older kernels (CVE-2016-9178)
* [x86] KVM: drop error recovery in em_jmp_far and em_ret_far (CVE-2016-9756)
+ * ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 28 Nov 2016 18:43:52 +0000
diff --git a/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch b/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
new file mode 100644
index 0000000..f88465a
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
@@ -0,0 +1,43 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Thu, 14 Apr 2016 18:02:37 +0200
+Subject: ALSA: pcm : Call kill_fasync() in stream lock
+Origin: https://git.kernel.org/linus/3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9794
+
+Currently kill_fasync() is called outside the stream lock in
+snd_pcm_period_elapsed(). This is potentially racy, since the stream
+may get released even during the irq handler is running. Although
+snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
+guarantee that the irq handler finishes, thus the kill_fasync() call
+outside the stream spin lock may be invoked after the substream is
+detached, as recently reported by KASAN.
+
+As a quick workaround, move kill_fasync() call inside the stream
+lock. The fasync is rarely used interface, so this shouldn't have a
+big impact from the performance POV.
+
+Ideally, we should implement some sync mechanism for the proper finish
+of stream and irq handler. But this oneliner should suffice for most
+cases, so far.
+
+Reported-by: Baozeng Ding <sploving1 at gmail.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+[bwh: Backported to 3.2: adjust context]
+---
+ sound/core/pcm_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1766,10 +1766,10 @@ void snd_pcm_period_elapsed(struct snd_p
+ if (substream->timer_running)
+ snd_timer_interrupt(substream->timer, 1);
+ _end:
+- snd_pcm_stream_unlock_irqrestore(substream, flags);
+ if (runtime->transfer_ack_end)
+ runtime->transfer_ack_end(substream);
+ kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
++ snd_pcm_stream_unlock_irqrestore(substream, flags);
+ }
+
+ EXPORT_SYMBOL(snd_pcm_period_elapsed);
diff --git a/debian/patches/series b/debian/patches/series
index 9ad6db0..96acca8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1119,6 +1119,7 @@ bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
+bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list