Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Marek <mmarek@suse.com>2016-05-11 10:17:23 +0200
committerMichal Marek <mmarek@suse.com>2016-05-11 10:17:23 +0200
commit4a09d3b8ab3bd8c6f903b0ec91b0f6d3134a778d (patch)
tree6f7b7d907c21e9c263b5a183377402ce6341603c
parent91c1d3ef1ce99b01e92a24af6f47e23e0ab746da (diff)
parent89a9adbaefa1241ee9dccbfa161df259b9a925ed (diff)
Merge branch 'users/tiwai/SLE12-SP2/for-next' into SLE12-SP2
Pull ALSA security fixes from Takashi Iwai (CVE-2016-4569, bsc#979213).
-rw-r--r--patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS33
-rw-r--r--patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca33
-rw-r--r--patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin33
-rw-r--r--series.conf4
4 files changed, 103 insertions, 0 deletions
diff --git a/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS b/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS
new file mode 100644
index 0000000000..e549890f4c
--- /dev/null
+++ b/patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS
@@ -0,0 +1,33 @@
+From cec8f96e49d9be372fdb0c3836dcf31ec71e457e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: [PATCH] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: cec8f96e49d9be372fdb0c3836dcf31ec71e457e
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
+References: CVE-2016-4569,bsc#979213
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1733,6 +1733,7 @@ static int snd_timer_user_params(struct
+ if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ if (tu->tread) {
+ struct snd_timer_tread tread;
++ memset(&tread, 0, sizeof(tread));
+ tread.event = SNDRV_TIMER_EVENT_EARLY;
+ tread.tstamp.tv_sec = 0;
+ tread.tstamp.tv_nsec = 0;
diff --git a/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca b/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca
new file mode 100644
index 0000000000..513ccb2918
--- /dev/null
+++ b/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca
@@ -0,0 +1,33 @@
+From 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: [PATCH] ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
+References: CVE-2016-4569,bsc#979213
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(str
+ tu->tstamp = *tstamp;
+ if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ return;
++ memset(&r1, 0, sizeof(r1));
+ r1.event = event;
+ r1.tstamp = *tstamp;
+ r1.val = resolution;
diff --git a/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin b/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin
new file mode 100644
index 0000000000..08c486d7b7
--- /dev/null
+++ b/patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin
@@ -0,0 +1,33 @@
+From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: [PATCH] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: e4ec8cc8039a7063e24204299b462bd1383184a5
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
+References: CVE-2016-4569,bsc#979213
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(st
+ }
+ if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ tu->last_resolution != resolution) {
++ memset(&r1, 0, sizeof(r1));
+ r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ r1.tstamp = tstamp;
+ r1.val = resolution;
diff --git a/series.conf b/series.conf
index 3281e90e10..aa290cc352 100644
--- a/series.conf
+++ b/series.conf
@@ -3591,6 +3591,10 @@
patches.drivers/ALSA-timer-Protect-the-whole-snd_timer_close-with-op
patches.drivers/ALSA-timer-Call-notifier-in-the-same-spinlock
+ patches.fixes/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS
+ patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca
+ patches.fixes/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin
+
# USB SS+
patches.drivers/0001-usb-audio-correct-speed-checking.patch
patches.drivers/0002-usb-midi-correct-speed-checking.patch