Issue metadata
Sign in to add a comment
|
CVE-2017-16528: CrOS: ALSA: seq: Use after free at unbind device |
||||||||||||||||||||||
Issue description
sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local
users to cause a denial of service (snd_rawmidi_dev_seq_free
use-after-free and system crash) or possibly have unspecified other
impact via a crafted USB device.
Upstream commit fc27fe7e8 ("ALSA: seq: Cancel pending autoload work at unbinding device").
,
Nov 9 2017
Most likely a noop for lakitu but copying rkolchmeyer@ just in case.
,
Nov 9 2017
Can confirm that this is a noop for lakitu.
,
Nov 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ee5900de84118b7532502ea1e115a6c240dd391d commit ee5900de84118b7532502ea1e115a6c240dd391d Author: Takashi Iwai <tiwai@suse.de> Date: Fri Nov 10 03:16:29 2017 UPSTREAM: ALSA: seq: Cancel pending autoload work at unbinding device ALSA sequencer core has a mechanism to load the enumerated devices automatically, and it's performed in an off-load work. This seems causing some race when a sequencer is removed while the pending autoload work is running. As syzkaller spotted, it may lead to some use-after-free: BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617 Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567 CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: events autoload_drivers Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x192/0x22c lib/dump_stack.c:52 print_address_description+0x78/0x280 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x230/0x340 mm/kasan/report.c:409 __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435 snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617 snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192 device_release+0x13f/0x210 drivers/base/core.c:814 kobject_cleanup lib/kobject.c:648 [inline] kobject_release lib/kobject.c:677 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x145/0x240 lib/kobject.c:694 put_device+0x25/0x30 drivers/base/core.c:1799 klist_devices_put+0x36/0x40 drivers/base/bus.c:827 klist_next+0x264/0x4a0 lib/klist.c:403 next_device drivers/base/bus.c:270 [inline] bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312 autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231 kthread+0x324/0x3f0 kernel/kthread.c:231 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425 The fix is simply to assure canceling the autoload work at removing the device. BUG= chromium:782594 , chromium:783243 TEST=Build and run Change-Id: Ia1abce523b818e2d85345b3215560050c0d6fc12 Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit fc27fe7e8) Reviewed-on: https://chromium-review.googlesource.com/760401 Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/ee5900de84118b7532502ea1e115a6c240dd391d/sound/core/seq/seq_device.c
,
Nov 10 2017
,
Nov 11 2017
,
Nov 18 2017
Issue 786703 has been merged into this issue.
,
Jan 22 2018
,
Feb 17 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Nov 9 2017