[linux] 01/01: ALSA: timer: Fix leak in events via snd_timer_user_ccallback or snd_timer_user_tinterrupt (CVE-2016-4578)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jun 23 19:33:36 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 17633a8b40ff6164c650bdaaab0077b749a977f5
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Jun 23 21:30:54 2016 +0200

    ALSA: timer: Fix leak in events via snd_timer_user_ccallback or snd_timer_user_tinterrupt (CVE-2016-4578)
---
 debian/changelog                                   |  2 ++
 ...fix-leak-in-events-via-snd_timer_user_cca.patch | 33 ++++++++++++++++++++++
 ...fix-leak-in-events-via-snd_timer_user_tin.patch | 33 ++++++++++++++++++++++
 debian/patches/series                              |  2 ++
 4 files changed, 70 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2fbc998..09e3933 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -28,6 +28,8 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
     (CVE-2016-4581)
   * USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
   * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569)
+  * ALSA: timer: Fix leak in events via snd_timer_user_ccallback or
+    snd_timer_user_tinterrupt (CVE-2016-4578)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 30 Mar 2016 16:32:07 +0100
 
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
new file mode 100644
index 0000000..3dc238a
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
@@ -0,0 +1,33 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 306a93d..cc3c08d 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1223,6 +1223,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
+ 		tu->tstamp = *tstamp;
+ 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ 		return;
++	memset(&r1, 0, sizeof(r1));
+ 	r1.event = event;
+ 	r1.tstamp = *tstamp;
+ 	r1.val = resolution;
+-- 
+2.8.1
+
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
new file mode 100644
index 0000000..e319d5b
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
@@ -0,0 +1,33 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index cc3c08d..e722022 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1266,6 +1266,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
+ 	}
+ 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ 	    tu->last_resolution != resolution) {
++		memset(&r1, 0, sizeof(r1));
+ 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ 		r1.tstamp = tstamp;
+ 		r1.val = resolution;
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index c01d3a8..dcf39d4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -680,3 +680,5 @@ bugfix/all/fs-pnode.c-treat-zero-mnt_group_id-s-as-unequal.patch
 bugfix/all/propogate_mnt-Handle-the-first-propogated-copy-being.patch
 bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
 bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
+bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list