[linux] 01/01: ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-XXXX)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sun Feb 14 05:01:29 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit fab6368c08fc7562c9c07cbdc9d58b9f963a4c4b
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Feb 14 05:00:28 2016 +0000

    ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-XXXX)
---
 debian/changelog                                   |  1 +
 ...sb-audio-avoid-freeing-umidi-object-twice.patch | 30 ++++++++++++++++++++++
 debian/patches/series/48squeeze20                  |  1 +
 3 files changed, 32 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ea2bacb..b8d038f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ linux-2.6 (2.6.32-48squeeze20) UNRELEASED; urgency=medium
   * RDMA/cxgb3: Don't free skbs on NET_XMIT_* indications from LLD
     (CVE-2015-8812)
   * iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812)
+  * ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-XXXX)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 13 Feb 2016 18:55:35 +0000
 
diff --git a/debian/patches/bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch b/debian/patches/bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
new file mode 100644
index 0000000..1a2fced
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
@@ -0,0 +1,30 @@
+From: Andrey Konovalov <andreyknvl at gmail.com>
+Date: Sat, 13 Feb 2016 11:08:06 +0300
+Subject: ALSA: usb-audio: avoid freeing umidi object twice
+Origin: https://git.kernel.org/linus/07d86ca93db7e5cdf4743564d98292042ec21af7
+
+The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
+when tearing down the rawmidi interface. So we shouldn't try to free it
+in snd_usbmidi_create() after having registered the rawmidi interface.
+
+Found by KASAN.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at gmail.com>
+Acked-by: Clemens Ladisch <clemens at ladisch.de>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+[bwh: Backported to 2.6.32: adjust filename]
+---
+ sound/usb/usbmidi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/usb/usbmidi.c
++++ b/sound/usb/usbmidi.c
+@@ -1960,7 +1960,6 @@ int snd_usbmidi_create(struct snd_card *card,
+ 	else
+ 		err = snd_usbmidi_create_endpoints(umidi, endpoints);
+ 	if (err < 0) {
+-		snd_usbmidi_free(umidi);
+ 		return err;
+ 	}
+ 
diff --git a/debian/patches/series/48squeeze20 b/debian/patches/series/48squeeze20
index 69020d7..7d1e90d 100644
--- a/debian/patches/series/48squeeze20
+++ b/debian/patches/series/48squeeze20
@@ -1,3 +1,4 @@
 + bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch
 + bugfix/all/rdma-cxgb3-don-t-free-skbs-on-net_xmit_-indications-.patch
 + bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
++ bugfix/all/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list