[SRU][T/B/C][PATCH 0/1] CVE-2018-19824 - ALSA use-after-free
Hui Wang
hui.wang at canonical.com
Mon Feb 18 14:49:56 UTC 2019
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19824.html
In the Linux kernel through 4.19.6, a local user could exploit a
use-after-free in the ALSA driver by supplying a malicious USB Sound device
(with zero interfaces) that is mishandled in usb_audio_probe in
sound/usb/card.c.
This bug affects Trusty, Bionic and Cosmic kernels, for B and C kernels,
the fix is cleanly cherry-picked, for Trusty, it is backported.
For U-A-F issue here, probably neither the commit header nor the code change
itself is self-explainable. We want to free chip->card first, then access
chip->active, it looks like the sequence is fine.
After investigating, I found why this patch is needed. When the driver frees
chip->card, it will find each snd_device under chip->card, and call ops->free()
of each snd_device, in the ops->free() of one of the snd_devices, it will
free chip, then the chip->acitve can't be accessed anymore. after applying
this patch, the U-A-F is fixed.
Hui Peng (1):
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in
card.c
sound/usb/card.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--
2.17.1
More information about the kernel-team
mailing list