ACK: [SRU][B/C][PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c

Tyler Hicks tyhicks at canonical.com
Mon Feb 18 15:31:29 UTC 2019 

On 2019-02-18 22:49:57, Hui Wang wrote:
> From: Hui Peng <benquike at gmail.com>
> 
> If a USB sound card reports 0 interfaces, an error condition is triggered
> and the function usb_audio_probe errors out. In the error path, there was a
> use-after-free vulnerability where the memory object of the card was first
> freed, followed by a decrement of the number of active chips. Moving the
> decrement above the atomic_dec fixes the UAF.
> 
> [ The original problem was introduced in 3.1 kernel, while it was
>   developed in a different form.  The Fixes tag below indicates the
>   original commit but it doesn't mean that the patch is applicable
>   cleanly. -- tiwai ]
> 
> Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
> Reported-by: Hui Peng <benquike at gmail.com>
> Reported-by: Mathias Payer <mathias.payer at nebelwelt.net>
> Signed-off-by: Hui Peng <benquike at gmail.com>
> Signed-off-by: Mathias Payer <mathias.payer at nebelwelt.net>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai at suse.de>
> 
> CVE-2018-19824
> 
> (cherry picked from commit 5f8cf712582617d523120df67d392059eaf2fc4b)
> Signed-off-by: Hui Wang <hui.wang at canonical.com>

This is a low risk change that cherry picks cleanly.

Acked-by: Tyler Hicks <tyhicks at canonical.com>

Thanks for working on this!

Tyler

> ---
>  sound/usb/card.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/usb/card.c b/sound/usb/card.c
> index 3ffb8e5aa50c..9ba2dcc0a326 100644
> --- a/sound/usb/card.c
> +++ b/sound/usb/card.c
> @@ -672,9 +672,12 @@ static int usb_audio_probe(struct usb_interface *intf,
>  
>   __error:
>  	if (chip) {
> +		/* chip->active is inside the chip->card object,
> +		 * decrement before memory is possibly returned.
> +		 */
> +		atomic_dec(&chip->active);
>  		if (!chip->num_interfaces)
>  			snd_card_free(chip->card);
> -		atomic_dec(&chip->active);
>  	}
>  	mutex_unlock(&register_mutex);
>  	return err;
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list