diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-02-09 07:54:01 +0100 | 
|---|---|---|
| committer | Zhenhua Luo <zhenhua.luo@freescale.com> | 2015-03-06 16:27:44 +0800 | 
| commit | 0a51b84c2c2f49f809b513210f2e627757ddcf64 (patch) | |
| tree | 06b8d9650d60314fcfde3d8832803b6a7110d539 | |
| parent | d2c2e06bf9b990b4e330ce83ce5cf3b88c8b46a1 (diff) | |
| download | meta-freescale-0a51b84c2c2f49f809b513210f2e627757ddcf64.tar.gz | |
ALSA: CVE-2014-4656
Handle numid overflow
Make sure that id->index does not overflow
References:
http://www.openwall.com/lists/oss-security/2014/06/26/6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4656
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
3 files changed, 91 insertions, 0 deletions
| diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch new file mode 100644 index 000000000..98590252e --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/0001-ALSA-CVE-2014-4656.patch | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | From 7ee7663da07717a1b31ce60d2ebf12d2058ee975 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lars-Peter Clausen <lars@metafoo.de> | ||
| 3 | Date: Wed, 18 Jun 2014 13:32:35 +0200 | ||
| 4 | Subject: [PATCH] ALSA: control: Make sure that id->index does not overflow | ||
| 5 | |||
| 6 | commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. | ||
| 7 | |||
| 8 | The ALSA control code expects that the range of assigned indices to a control is | ||
| 9 | continuous and does not overflow. Currently there are no checks to enforce this. | ||
| 10 | If a control with a overflowing index range is created that control becomes | ||
| 11 | effectively inaccessible and unremovable since snd_ctl_find_id() will not be | ||
| 12 | able to find it. This patch adds a check that makes sure that controls with a | ||
| 13 | overflowing index range can not be created. | ||
| 14 | |||
| 15 | Fixes CVE-2014-4656 | ||
| 16 | Upstream-Status: Backport | ||
| 17 | |||
| 18 | Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> | ||
| 19 | Acked-by: Jaroslav Kysela <perex@perex.cz> | ||
| 20 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||
| 21 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
| 22 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 23 | --- | ||
| 24 | sound/core/control.c | 3 +++ | ||
| 25 | 1 file changed, 3 insertions(+) | ||
| 26 | |||
| 27 | diff --git a/sound/core/control.c b/sound/core/control.c | ||
| 28 | index 93215b4..98a29b2 100644 | ||
| 29 | --- a/sound/core/control.c | ||
| 30 | +++ b/sound/core/control.c | ||
| 31 | @@ -343,6 +343,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) | ||
| 32 | if (snd_BUG_ON(!card || !kcontrol->info)) | ||
| 33 | goto error; | ||
| 34 | id = kcontrol->id; | ||
| 35 | + if (id.index > UINT_MAX - kcontrol->count) | ||
| 36 | + goto error; | ||
| 37 | + | ||
| 38 | down_write(&card->controls_rwsem); | ||
| 39 | if (snd_ctl_find_id(card, &id)) { | ||
| 40 | up_write(&card->controls_rwsem); | ||
| 41 | -- | ||
| 42 | 1.9.1 | ||
| 43 | |||
| diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch new file mode 100644 index 000000000..2065780f5 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lars-Peter Clausen <lars@metafoo.de> | ||
| 3 | Date: Wed, 18 Jun 2014 13:32:34 +0200 | ||
| 4 | Subject: [PATCH] ALSA: control: Handle numid overflow | ||
| 5 | |||
| 6 | commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream. | ||
| 7 | |||
| 8 | Each control gets automatically assigned its numids when the control is created. | ||
| 9 | The allocation is done by incrementing the numid by the amount of allocated | ||
| 10 | numids per allocation. This means that excessive creation and destruction of | ||
| 11 | controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to | ||
| 12 | eventually overflow. Currently when this happens for the control that caused the | ||
| 13 | overflow kctl->id.numid + kctl->count will also over flow causing it to be | ||
| 14 | smaller than kctl->id.numid. Most of the code assumes that this is something | ||
| 15 | that can not happen, so we need to make sure that it won't happen | ||
| 16 | |||
| 17 | Fixes CVE-2014-4656 | ||
| 18 | Upstream-Status: Backport | ||
| 19 | |||
| 20 | Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> | ||
| 21 | Acked-by: Jaroslav Kysela <perex@perex.cz> | ||
| 22 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||
| 23 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
| 24 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 25 | --- | ||
| 26 | sound/core/control.c | 4 ++++ | ||
| 27 | 1 file changed, 4 insertions(+) | ||
| 28 | |||
| 29 | diff --git a/sound/core/control.c b/sound/core/control.c | ||
| 30 | index d4a597f..93215b4 100644 | ||
| 31 | --- a/sound/core/control.c | ||
| 32 | +++ b/sound/core/control.c | ||
| 33 | @@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card, | ||
| 34 | { | ||
| 35 | struct snd_kcontrol *kctl; | ||
| 36 | |||
| 37 | + /* Make sure that the ids assigned to the control do not wrap around */ | ||
| 38 | + if (card->last_numid >= UINT_MAX - count) | ||
| 39 | + card->last_numid = 0; | ||
| 40 | + | ||
| 41 | list_for_each_entry(kctl, &card->controls, list) { | ||
| 42 | if (kctl->id.numid < card->last_numid + 1 + count && | ||
| 43 | kctl->id.numid + kctl->count > card->last_numid + 1) { | ||
| 44 | -- | ||
| 45 | 1.9.1 | ||
| 46 | |||
| diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb index 5c67dc3ae..de1104654 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb | |||
| @@ -27,6 +27,8 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ | |||
| 27 | file://0002-ALSA-CVE-2014-4653.patch \ | 27 | file://0002-ALSA-CVE-2014-4653.patch \ | 
| 28 | file://sctp-CVE-2014-4667.patch \ | 28 | file://sctp-CVE-2014-4667.patch \ | 
| 29 | file://sctp-CVE-2014-7841.patch \ | 29 | file://sctp-CVE-2014-7841.patch \ | 
| 30 | file://0001-ALSA-CVE-2014-4656.patch \ | ||
| 31 | file://0002-ALSA-CVE-2014-4656.patch \ | ||
| 30 | " | 32 | " | 
| 31 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" | 33 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" | 
| 32 | 34 | ||
