[linux] 01/01: ALSA: timer: Fix leak in events via snd_timer_user_ccallback or snd_timer_user_tinterrupt (CVE-2016-4578)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Jun 23 19:33:36 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 17633a8b40ff6164c650bdaaab0077b749a977f5
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu Jun 23 21:30:54 2016 +0200
ALSA: timer: Fix leak in events via snd_timer_user_ccallback or snd_timer_user_tinterrupt (CVE-2016-4578)
---
debian/changelog | 2 ++
...fix-leak-in-events-via-snd_timer_user_cca.patch | 33 ++++++++++++++++++++++
...fix-leak-in-events-via-snd_timer_user_tin.patch | 33 ++++++++++++++++++++++
debian/patches/series | 2 ++
4 files changed, 70 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 2fbc998..09e3933 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -28,6 +28,8 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
(CVE-2016-4581)
* USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
* ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569)
+ * ALSA: timer: Fix leak in events via snd_timer_user_ccallback or
+ snd_timer_user_tinterrupt (CVE-2016-4578)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 30 Mar 2016 16:32:07 +0100
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
new file mode 100644
index 0000000..3dc238a
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
@@ -0,0 +1,33 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 306a93d..cc3c08d 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1223,6 +1223,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
+ tu->tstamp = *tstamp;
+ if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ return;
++ memset(&r1, 0, sizeof(r1));
+ r1.event = event;
+ r1.tstamp = *tstamp;
+ r1.val = resolution;
+--
+2.8.1
+
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
new file mode 100644
index 0000000..e319d5b
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
@@ -0,0 +1,33 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index cc3c08d..e722022 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1266,6 +1266,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
+ }
+ if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ tu->last_resolution != resolution) {
++ memset(&r1, 0, sizeof(r1));
+ r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ r1.tstamp = tstamp;
+ r1.val = resolution;
+--
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index c01d3a8..dcf39d4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -680,3 +680,5 @@ bugfix/all/fs-pnode.c-treat-zero-mnt_group_id-s-as-unequal.patch
bugfix/all/propogate_mnt-Handle-the-first-propogated-copy-being.patch
bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
+bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list