CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645)

This commit is contained in:
Josh Boyer 2016-05-10 08:16:35 -04:00
parent 0494a46c4e
commit 4bf3dea79c
4 changed files with 109 additions and 0 deletions

View File

@ -0,0 +1,33 @@
From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:07 -0400
Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 6469bedda2f3..964f5ebf495e 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
if (tu->tread) {
struct snd_timer_tread tread;
+ memset(&tread, 0, sizeof(tread));
tread.event = SNDRV_TIMER_EVENT_EARLY;
tread.tstamp.tv_sec = 0;
tread.tstamp.tv_nsec = 0;
--
2.5.5

View File

@ -0,0 +1,34 @@
From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:20 -0400
Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
snd_timer_user_ccallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 964f5ebf495e..e98fa5feb731 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
tu->tstamp = *tstamp;
if ((tu->filter & (1 << event)) == 0 || !tu->tread)
return;
+ memset(&r1, 0, sizeof(r1));
r1.event = event;
r1.tstamp = *tstamp;
r1.val = resolution;
--
2.5.5

View File

@ -0,0 +1,34 @@
From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu@gmail.com>
Date: Tue, 3 May 2016 16:44:32 -0400
Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
snd_timer_user_tinterrupt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/core/timer.c b/sound/core/timer.c
index e98fa5feb731..c69a27155433 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
}
if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
tu->last_resolution != resolution) {
+ memset(&r1, 0, sizeof(r1));
r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
r1.tstamp = tstamp;
r1.val = resolution;
--
2.5.5

View File

@ -618,6 +618,11 @@ Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
Patch707: net-fix-infoleak-in-llc.patch
Patch708: net-fix-infoleak-in-rtnetlink.patch
#CVE-2016-4569 rhbz 1334643 1334645
Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
# END OF PATCH DEFINITIONS
%endif
@ -2143,6 +2148,9 @@ fi
#
#
%changelog
* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645)
* Mon May 09 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git0.1
- Linux v4.6-rc7