[linux] 17/18: ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Dec 29 03:44:12 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit c2cf1109f456db213dda8f971e2529cdd914a0fe
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Dec 28 23:50:01 2016 +0000
ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
---
debian/changelog | 1 +
.../alsa-pcm-call-kill_fasync-in-stream-lock.patch | 43 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 45 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 3a36fac..0f40499 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -508,6 +508,7 @@ linux (3.16.39-1) UNRELEASED; urgency=medium
(CVE-2016-9576)
* [x86] KVM: drop error recovery in em_jmp_far and em_ret_far (CVE-2016-9756)
* net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793)
+ * ALSA: pcm : Call kill_fasync() in stream lock (CVE-2016-9794)
[ Julien Cristau ]
* hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
diff --git a/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch b/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
new file mode 100644
index 0000000..f5421b8
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
@@ -0,0 +1,43 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Thu, 14 Apr 2016 18:02:37 +0200
+Subject: ALSA: pcm : Call kill_fasync() in stream lock
+Origin: https://git.kernel.org/linus/3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9794
+
+Currently kill_fasync() is called outside the stream lock in
+snd_pcm_period_elapsed(). This is potentially racy, since the stream
+may get released even during the irq handler is running. Although
+snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
+guarantee that the irq handler finishes, thus the kill_fasync() call
+outside the stream spin lock may be invoked after the substream is
+detached, as recently reported by KASAN.
+
+As a quick workaround, move kill_fasync() call inside the stream
+lock. The fasync is rarely used interface, so this shouldn't have a
+big impact from the performance POV.
+
+Ideally, we should implement some sync mechanism for the proper finish
+of stream and irq handler. But this oneliner should suffice for most
+cases, so far.
+
+Reported-by: Baozeng Ding <sploving1 at gmail.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+[bwh: Backported to 3.16: adjust context]
+---
+ sound/core/pcm_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -1856,10 +1856,10 @@ void snd_pcm_period_elapsed(struct snd_p
+ if (substream->timer_running)
+ snd_timer_interrupt(substream->timer, 1);
+ _end:
+- snd_pcm_stream_unlock_irqrestore(substream, flags);
+ if (runtime->transfer_ack_end)
+ runtime->transfer_ack_end(substream);
+ kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
++ snd_pcm_stream_unlock_irqrestore(substream, flags);
+ }
+
+ EXPORT_SYMBOL(snd_pcm_period_elapsed);
diff --git a/debian/patches/series b/debian/patches/series
index 521db02..886d2d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -675,6 +675,7 @@ bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch
bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch
bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch
+bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list