[linux] 03/03: Add fixes for CVE-2017-1000380
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Aug 17 20:24:10 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch-security
in repository linux.
commit 6d8e5bfaa47c78a5cd4c3de19f1dec11c177bfe1
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Aug 6 13:44:42 2017 +0100
Add fixes for CVE-2017-1000380
---
debian/changelog | 3 +
...-timer-fix-missing-queue-indices-reset-at.patch | 52 ++++++++++++++++
...lsa-timer-fix-race-between-read-and-ioctl.patch | 69 ++++++++++++++++++++++
debian/patches/series | 2 +
4 files changed, 126 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index adc1c60..b643dec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ linux (4.9.30-2+deb9u4) UNRELEASED; urgency=medium
* [x86] KVM: fix singlestepping over syscall (CVE-2017-7518)
* binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370,
CVE-2017-1000371)
+ * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
+ * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
+ (CVE-2017-1000380)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 06 Aug 2017 15:21:20 +0100
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch b/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
new file mode 100644
index 0000000..e744bc4
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
@@ -0,0 +1,52 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Fri, 2 Jun 2017 17:26:56 +0200
+Subject: ALSA: timer: Fix missing queue indices reset at
+ SNDRV_TIMER_IOCTL_SELECT
+Origin: https://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000380
+
+snd_timer_user_tselect() reallocates the queue buffer dynamically, but
+it forgot to reset its indices. Since the read may happen
+concurrently with ioctl and snd_timer_user_tselect() allocates the
+buffer via kmalloc(), this may lead to the leak of uninitialized
+kernel-space data, as spotted via KMSAN:
+
+ BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
+ CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x143/0x1b0 lib/dump_stack.c:52
+ kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
+ kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
+ copy_to_user ./arch/x86/include/asm/uaccess.h:725
+ snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
+ do_loop_readv_writev fs/read_write.c:716
+ __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
+ do_readv_writev fs/read_write.c:894
+ vfs_readv fs/read_write.c:908
+ do_readv+0x52a/0x5d0 fs/read_write.c:934
+ SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
+ SyS_readv+0x87/0xb0 fs/read_write.c:1018
+
+This patch adds the missing reset of queue indices. Together with the
+previous fix for the ioctl/read race, we cover the whole problem.
+
+Reported-by: Alexander Potapenko <glider at google.com>
+Tested-by: Alexander Potapenko <glider at google.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1622,6 +1622,7 @@ static int snd_timer_user_tselect(struct
+ if (err < 0)
+ goto __err;
+
++ tu->qhead = tu->qtail = tu->qused = 0;
+ kfree(tu->queue);
+ tu->queue = NULL;
+ kfree(tu->tqueue);
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch b/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
new file mode 100644
index 0000000..c8aa19e
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
@@ -0,0 +1,69 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Fri, 2 Jun 2017 15:03:38 +0200
+Subject: ALSA: timer: Fix race between read and ioctl
+Origin: https://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000380
+
+The read from ALSA timer device, the function snd_timer_user_tread(),
+may access to an uninitialized struct snd_timer_user fields when the
+read is concurrently performed while the ioctl like
+snd_timer_user_tselect() is invoked. We have already fixed the races
+among ioctls via a mutex, but we seem to have forgotten the race
+between read vs ioctl.
+
+This patch simply applies (more exactly extends the already applied
+range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
+race window.
+
+Reported-by: Alexander Potapenko <glider at google.com>
+Tested-by: Alexander Potapenko <glider at google.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ sound/core/timer.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1963,6 +1963,7 @@ static ssize_t snd_timer_user_read(struc
+
+ tu = file->private_data;
+ unit = tu->tread ? sizeof(struct snd_timer_tread) : sizeof(struct snd_timer_read);
++ mutex_lock(&tu->ioctl_lock);
+ spin_lock_irq(&tu->qlock);
+ while ((long)count - result >= unit) {
+ while (!tu->qused) {
+@@ -1978,7 +1979,9 @@ static ssize_t snd_timer_user_read(struc
+ add_wait_queue(&tu->qchange_sleep, &wait);
+
+ spin_unlock_irq(&tu->qlock);
++ mutex_unlock(&tu->ioctl_lock);
+ schedule();
++ mutex_lock(&tu->ioctl_lock);
+ spin_lock_irq(&tu->qlock);
+
+ remove_wait_queue(&tu->qchange_sleep, &wait);
+@@ -1998,7 +2001,6 @@ static ssize_t snd_timer_user_read(struc
+ tu->qused--;
+ spin_unlock_irq(&tu->qlock);
+
+- mutex_lock(&tu->ioctl_lock);
+ if (tu->tread) {
+ if (copy_to_user(buffer, &tu->tqueue[qhead],
+ sizeof(struct snd_timer_tread)))
+@@ -2008,7 +2010,6 @@ static ssize_t snd_timer_user_read(struc
+ sizeof(struct snd_timer_read)))
+ err = -EFAULT;
+ }
+- mutex_unlock(&tu->ioctl_lock);
+
+ spin_lock_irq(&tu->qlock);
+ if (err < 0)
+@@ -2018,6 +2019,7 @@ static ssize_t snd_timer_user_read(struc
+ }
+ _error:
+ spin_unlock_irq(&tu->qlock);
++ mutex_unlock(&tu->ioctl_lock);
+ return result > 0 ? result : err;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index e9c3182..2d16bf6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -134,6 +134,8 @@ bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
bugfix/all/dentry-name-snapshots.patch
bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
+bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
+bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list