[linux] 03/03: Add fixes for CVE-2017-1000380

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Aug 17 20:24:10 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch stretch-security
in repository linux.

commit 6d8e5bfaa47c78a5cd4c3de19f1dec11c177bfe1
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Aug 6 13:44:42 2017 +0100

    Add fixes for CVE-2017-1000380
---
 debian/changelog                                   |  3 +
 ...-timer-fix-missing-queue-indices-reset-at.patch | 52 ++++++++++++++++
 ...lsa-timer-fix-race-between-read-and-ioctl.patch | 69 ++++++++++++++++++++++
 debian/patches/series                              |  2 +
 4 files changed, 126 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index adc1c60..b643dec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ linux (4.9.30-2+deb9u4) UNRELEASED; urgency=medium
   * [x86] KVM: fix singlestepping over syscall (CVE-2017-7518)
   * binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370,
     CVE-2017-1000371)
+  * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380)
+  * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
+    (CVE-2017-1000380)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 06 Aug 2017 15:21:20 +0100
 
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch b/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
new file mode 100644
index 0000000..e744bc4
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
@@ -0,0 +1,52 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Fri, 2 Jun 2017 17:26:56 +0200
+Subject: ALSA: timer: Fix missing queue indices reset at
+ SNDRV_TIMER_IOCTL_SELECT
+Origin: https://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000380
+
+snd_timer_user_tselect() reallocates the queue buffer dynamically, but
+it forgot to reset its indices.  Since the read may happen
+concurrently with ioctl and snd_timer_user_tselect() allocates the
+buffer via kmalloc(), this may lead to the leak of uninitialized
+kernel-space data, as spotted via KMSAN:
+
+  BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
+  CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+  Call Trace:
+   __dump_stack lib/dump_stack.c:16
+   dump_stack+0x143/0x1b0 lib/dump_stack.c:52
+   kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
+   kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
+   copy_to_user ./arch/x86/include/asm/uaccess.h:725
+   snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
+   do_loop_readv_writev fs/read_write.c:716
+   __do_readv_writev+0x94c/0x1380 fs/read_write.c:864
+   do_readv_writev fs/read_write.c:894
+   vfs_readv fs/read_write.c:908
+   do_readv+0x52a/0x5d0 fs/read_write.c:934
+   SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
+   SyS_readv+0x87/0xb0 fs/read_write.c:1018
+
+This patch adds the missing reset of queue indices.  Together with the
+previous fix for the ioctl/read race, we cover the whole problem.
+
+Reported-by: Alexander Potapenko <glider at google.com>
+Tested-by: Alexander Potapenko <glider at google.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1622,6 +1622,7 @@ static int snd_timer_user_tselect(struct
+ 	if (err < 0)
+ 		goto __err;
+ 
++	tu->qhead = tu->qtail = tu->qused = 0;
+ 	kfree(tu->queue);
+ 	tu->queue = NULL;
+ 	kfree(tu->tqueue);
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch b/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
new file mode 100644
index 0000000..c8aa19e
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
@@ -0,0 +1,69 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Fri, 2 Jun 2017 15:03:38 +0200
+Subject: ALSA: timer: Fix race between read and ioctl
+Origin: https://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000380
+
+The read from ALSA timer device, the function snd_timer_user_tread(),
+may access to an uninitialized struct snd_timer_user fields when the
+read is concurrently performed while the ioctl like
+snd_timer_user_tselect() is invoked.  We have already fixed the races
+among ioctls via a mutex, but we seem to have forgotten the race
+between read vs ioctl.
+
+This patch simply applies (more exactly extends the already applied
+range of) tu->ioctl_lock in snd_timer_user_tread() for closing the
+race window.
+
+Reported-by: Alexander Potapenko <glider at google.com>
+Tested-by: Alexander Potapenko <glider at google.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ sound/core/timer.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1963,6 +1963,7 @@ static ssize_t snd_timer_user_read(struc
+ 
+ 	tu = file->private_data;
+ 	unit = tu->tread ? sizeof(struct snd_timer_tread) : sizeof(struct snd_timer_read);
++	mutex_lock(&tu->ioctl_lock);
+ 	spin_lock_irq(&tu->qlock);
+ 	while ((long)count - result >= unit) {
+ 		while (!tu->qused) {
+@@ -1978,7 +1979,9 @@ static ssize_t snd_timer_user_read(struc
+ 			add_wait_queue(&tu->qchange_sleep, &wait);
+ 
+ 			spin_unlock_irq(&tu->qlock);
++			mutex_unlock(&tu->ioctl_lock);
+ 			schedule();
++			mutex_lock(&tu->ioctl_lock);
+ 			spin_lock_irq(&tu->qlock);
+ 
+ 			remove_wait_queue(&tu->qchange_sleep, &wait);
+@@ -1998,7 +2001,6 @@ static ssize_t snd_timer_user_read(struc
+ 		tu->qused--;
+ 		spin_unlock_irq(&tu->qlock);
+ 
+-		mutex_lock(&tu->ioctl_lock);
+ 		if (tu->tread) {
+ 			if (copy_to_user(buffer, &tu->tqueue[qhead],
+ 					 sizeof(struct snd_timer_tread)))
+@@ -2008,7 +2010,6 @@ static ssize_t snd_timer_user_read(struc
+ 					 sizeof(struct snd_timer_read)))
+ 				err = -EFAULT;
+ 		}
+-		mutex_unlock(&tu->ioctl_lock);
+ 
+ 		spin_lock_irq(&tu->qlock);
+ 		if (err < 0)
+@@ -2018,6 +2019,7 @@ static ssize_t snd_timer_user_read(struc
+ 	}
+  _error:
+ 	spin_unlock_irq(&tu->qlock);
++	mutex_unlock(&tu->ioctl_lock);
+ 	return result > 0 ? result : err;
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index e9c3182..2d16bf6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -134,6 +134,8 @@ bugfix/all/fs-exec.c-account-for-argv-envp-pointers.patch
 bugfix/all/dentry-name-snapshots.patch
 bugfix/x86/kvm-x86-fix-singlestepping-over-syscall.patch
 bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
+bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
+bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list