[linux] 01/01: ALSA: seq: Make ioctls race-free (CVE-2018-1000004)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jan 18 15:42:04 UTC 2018 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit e30f878e1d0aba263a53e86818d095f19a3da303
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Jan 18 14:28:56 2018 +0100

    ALSA: seq: Make ioctls race-free (CVE-2018-1000004)
---
 debian/changelog                                   |  1 +
 .../all/alsa-seq-make-ioctls-race-free.patch       | 64 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 66 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 412c0e2..13d6522 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -111,6 +111,7 @@ linux (4.14.14-1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * loop: fix concurrent lo_open/lo_release (CVE-2018-5344)
+  * ALSA: seq: Make ioctls race-free (CVE-2018-1000004)
 
   [ Ben Hutchings ]
   * bpf: Avoid ABI change in 4.14.14
diff --git a/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch b/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch
new file mode 100644
index 0000000..9f3b215
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-seq-make-ioctls-race-free.patch
@@ -0,0 +1,64 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Tue, 9 Jan 2018 23:11:03 +0100
+Subject: ALSA: seq: Make ioctls race-free
+Origin: https://git.kernel.org/linus/b3defb791b26ea0683a93a4f49c77ec45ec96f10
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000004
+
+The ALSA sequencer ioctls have no protection against racy calls while
+the concurrent operations may lead to interfere with each other.  As
+reported recently, for example, the concurrent calls of setting client
+pool with a combination of write calls may lead to either the
+unkillable dead-lock or UAF.
+
+As a slightly big hammer solution, this patch introduces the mutex to
+make each ioctl exclusive.  Although this may reduce performance via
+parallel ioctl calls, usually it's not demanded for sequencer usages,
+hence it should be negligible.
+
+Reported-by: Luo Quan <a4651386 at 163.com>
+Reviewed-by: Kees Cook <keescook at chromium.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/seq/seq_clientmgr.c | 3 +++
+ sound/core/seq/seq_clientmgr.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 6e22eea72654..d01913404581 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize)
+ 	rwlock_init(&client->ports_lock);
+ 	mutex_init(&client->ports_mutex);
+ 	INIT_LIST_HEAD(&client->ports_list_head);
++	mutex_init(&client->ioctl_mutex);
+ 
+ 	/* find free slot in the client table */
+ 	spin_lock_irqsave(&clients_lock, flags);
+@@ -2130,7 +2131,9 @@ static long snd_seq_ioctl(struct file *file, unsigned int cmd,
+ 			return -EFAULT;
+ 	}
+ 
++	mutex_lock(&client->ioctl_mutex);
+ 	err = handler->func(client, &buf);
++	mutex_unlock(&client->ioctl_mutex);
+ 	if (err >= 0) {
+ 		/* Some commands includes a bug in 'dir' field. */
+ 		if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT ||
+diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h
+index c6614254ef8a..0611e1e0ed5b 100644
+--- a/sound/core/seq/seq_clientmgr.h
++++ b/sound/core/seq/seq_clientmgr.h
+@@ -61,6 +61,7 @@ struct snd_seq_client {
+ 	struct list_head ports_list_head;
+ 	rwlock_t ports_lock;
+ 	struct mutex ports_mutex;
++	struct mutex ioctl_mutex;
+ 	int convert32;		/* convert 32->64bit */
+ 
+ 	/* output pool */
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 6b75261..968622e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -126,6 +126,7 @@ bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
 bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
 bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
 bugfix/all/loop-fix-concurrent-lo_open-lo_release.patch
+bugfix/all/alsa-seq-make-ioctls-race-free.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list