Home Home > GIT Browse > SLE11-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Hocko <mhocko@suse.com>2019-01-14 13:18:22 +0100
committerMichal Hocko <mhocko@suse.com>2019-01-14 13:18:22 +0100
commit86167c0df43fd8784be30732b31cdc82b30f3dd9 (patch)
treed7b72713038987490c687e1906698e06d003e9be
parentee215f00badaa146dfd776dd240d6f98100ab621 (diff)
parent16e2270e1acbbf507dbf92148a9c9f24c387b6f3 (diff)
Merge remote-tracking branch 'origin/cve/linux-3.0' into users/mhocko/SLE11-SP4/for-next
-rw-r--r--patches.drivers/ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch53
-rw-r--r--patches.fixes/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch105
-rw-r--r--series.conf2
3 files changed, 160 insertions, 0 deletions
diff --git a/patches.drivers/ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch b/patches.drivers/ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
new file mode 100644
index 0000000000..37e0a88d3a
--- /dev/null
+++ b/patches.drivers/ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
@@ -0,0 +1,53 @@
+From 5f8cf712582617d523120df67d392059eaf2fc4b Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Mon, 3 Dec 2018 16:09:34 +0100
+Subject: [PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live
+ interfaces in card.c
+References: CVE-2018-19824,bsc#1118152
+Git-commit: 5f8cf712582617d523120df67d392059eaf2fc4b
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
+Patch-mainline: Queued in subsystem maintainer repository
+
+[ NOTE FOR BACKPORT:
+ the patch context adapted for 3.12 base, i.e. chip->active is converted
+ to chip->probing -- tiwai ]
+
+If a USB sound card reports 0 interfaces, an error condition is triggered
+and the function usb_audio_probe errors out. In the error path, there was a
+use-after-free vulnerability where the memory object of the card was first
+freed, followed by a decrement of the number of active chips. Moving the
+decrement above the atomic_dec fixes the UAF.
+
+[ The original problem was introduced in 3.1 kernel, while it was
+ developed in a different form. The Fixes tag below indicates the
+ original commit but it doesn't mean that the patch is applicable
+ cleanly. -- tiwai ]
+
+Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/usb/card.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -568,9 +568,12 @@ static void *snd_usb_audio_probe(struct
+
+ __error:
+ if (chip) {
++ /* chip->probing is inside the chip->card object,
++ * clear before memory is possibly returned.
++ */
++ chip->probing = 0;
+ if (!chip->num_interfaces)
+ snd_card_free(chip->card);
+- chip->probing = 0;
+ }
+ mutex_unlock(&register_mutex);
+ __err_val:
diff --git a/patches.fixes/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch b/patches.fixes/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch
new file mode 100644
index 0000000000..bc2c85415c
--- /dev/null
+++ b/patches.fixes/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch
@@ -0,0 +1,105 @@
+From: Christoph Paasch <cpaasch@apple.com>
+Date: Tue, 26 Sep 2017 17:38:50 -0700
+Subject: net: Set sk_prot_creator when cloning sockets to the right proto
+Patch-mainline: v4.14-rc4
+Git-commit: 9d538fa60bad4f7b23193c89e843797a1cf71ef3
+References: CVE-2018-9568 bsc#1118319
+
+sk->sk_prot and sk->sk_prot_creator can differ when the app uses
+IPV6_ADDRFORM (transforming an IPv6-socket to an IPv4-one).
+Which is why sk_prot_creator is there to make sure that sk_prot_free()
+does the kmem_cache_free() on the right kmem_cache slab.
+
+Now, if such a socket gets transformed back to a listening socket (using
+connect() with AF_UNSPEC) we will allocate an IPv4 tcp_sock through
+sk_clone_lock() when a new connection comes in. But sk_prot_creator will
+still point to the IPv6 kmem_cache (as everything got copied in
+sk_clone_lock()). When freeing, we will thus put this
+memory back into the IPv6 kmem_cache although it was allocated in the
+IPv4 cache. I have seen memory corruption happening because of this.
+
+With slub-debugging and MEMCG_KMEM enabled this gives the warning
+ "cache_from_obj: Wrong slab cache. TCPv6 but object is from TCP"
+
+A C-program to trigger this:
+
+void main(void)
+{
+ int fd = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
+ int new_fd, newest_fd, client_fd;
+ struct sockaddr_in6 bind_addr;
+ struct sockaddr_in bind_addr4, client_addr1, client_addr2;
+ struct sockaddr unsp;
+ int val;
+
+ memset(&bind_addr, 0, sizeof(bind_addr));
+ bind_addr.sin6_family = AF_INET6;
+ bind_addr.sin6_port = ntohs(42424);
+
+ memset(&client_addr1, 0, sizeof(client_addr1));
+ client_addr1.sin_family = AF_INET;
+ client_addr1.sin_port = ntohs(42424);
+ client_addr1.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+ memset(&client_addr2, 0, sizeof(client_addr2));
+ client_addr2.sin_family = AF_INET;
+ client_addr2.sin_port = ntohs(42421);
+ client_addr2.sin_addr.s_addr = inet_addr("127.0.0.1");
+
+ memset(&unsp, 0, sizeof(unsp));
+ unsp.sa_family = AF_UNSPEC;
+
+ bind(fd, (struct sockaddr *)&bind_addr, sizeof(bind_addr));
+
+ listen(fd, 5);
+
+ client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+ connect(client_fd, (struct sockaddr *)&client_addr1, sizeof(client_addr1));
+ new_fd = accept(fd, NULL, NULL);
+ close(fd);
+
+ val = AF_INET;
+ setsockopt(new_fd, SOL_IPV6, IPV6_ADDRFORM, &val, sizeof(val));
+
+ connect(new_fd, &unsp, sizeof(unsp));
+
+ memset(&bind_addr4, 0, sizeof(bind_addr4));
+ bind_addr4.sin_family = AF_INET;
+ bind_addr4.sin_port = ntohs(42421);
+ bind(new_fd, (struct sockaddr *)&bind_addr4, sizeof(bind_addr4));
+
+ listen(new_fd, 5);
+
+ client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+ connect(client_fd, (struct sockaddr *)&client_addr2, sizeof(client_addr2));
+
+ newest_fd = accept(new_fd, NULL, NULL);
+ close(new_fd);
+
+ close(client_fd);
+ close(new_fd);
+}
+
+As far as I can see, this bug has been there since the beginning of the
+git-days.
+
+Signed-off-by: Christoph Paasch <cpaasch@apple.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/core/sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1253,6 +1253,8 @@ struct sock *sk_clone(const struct sock *sk, const gfp_t priority)
+
+ sock_copy(newsk, sk);
+
++ newsk->sk_prot_creator = sk->sk_prot;
++
+ /* SANITY */
+ get_net(sock_net(newsk));
+ sk_node_init(&newsk->sk_node);
diff --git a/series.conf b/series.conf
index 2869c6c80f..6536117736 100644
--- a/series.conf
+++ b/series.conf
@@ -3407,6 +3407,7 @@
patches.fixes/slab-introduce-kmalloc_array.patch
patches.fixes/irda-Fix-memory-leak-caused-by-repeated-binds-of-ird.patch
patches.fixes/irda-Only-insert-new-objects-into-the-global-databas.patch
+ patches.fixes/net-Set-sk_prot_creator-when-cloning-sockets-to-the-.patch
########################################################
# NFS
@@ -22030,6 +22031,7 @@
patches.drivers/ASoC-blackfin-Fix-missing-break
patches.drivers/ALSA-fm801-propagate-TUNER_ONLY-bit-when-autodetecte
patches.drivers/ALSA-snd-aoa-add-of_node_put-in-error-path
+ patches.drivers/ALSA-usb-audio-Fix-UAF-decrement-if-card-has-no-live.patch
##########################################################
# Char + Serial