[thirdparty/kernel/stable-queue.git] / releases / 4.19.9 / alsa-usb-audio-fix-uaf-decrement-if-card-has-no-live-interfaces-in-card.c.patch

From 5f8cf712582617d523120df67d392059eaf2fc4b Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Mon, 3 Dec 2018 16:09:34 +0100
Subject: ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c

From: Hui Peng <benquike@gmail.com>

commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream.

If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.

[ The original problem was introduced in 3.1 kernel, while it was
  developed in a different form.  The Fixes tag below indicates the
  original commit but it doesn't mean that the patch is applicable
  cleanly. -- tiwai ]

Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/card.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -682,9 +682,12 @@ static int usb_audio_probe(struct usb_in
 
  __error:
 	if (chip) {
+		/* chip->active is inside the chip->card object,
+		 * decrement before memory is possibly returned.
+		 */
+		atomic_dec(&chip->active);
 		if (!chip->num_interfaces)
 			snd_card_free(chip->card);
-		atomic_dec(&chip->active);
 	}
 	mutex_unlock(&register_mutex);
 	return err;
Commit	Line	Data
1a286333 GKH	1	From 5f8cf712582617d523120df67d392059eaf2fc4b Mon Sep 17 00:00:00 2001
	2	From: Hui Peng <benquike@gmail.com>
	3	Date: Mon, 3 Dec 2018 16:09:34 +0100
	4	Subject: ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
	5
	6	From: Hui Peng <benquike@gmail.com>
	7
	8	commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream.
	9
	10	If a USB sound card reports 0 interfaces, an error condition is triggered
	11	and the function usb_audio_probe errors out. In the error path, there was a
	12	use-after-free vulnerability where the memory object of the card was first
	13	freed, followed by a decrement of the number of active chips. Moving the
	14	decrement above the atomic_dec fixes the UAF.
	15
	16	[ The original problem was introduced in 3.1 kernel, while it was
	17	developed in a different form. The Fixes tag below indicates the
	18	original commit but it doesn't mean that the patch is applicable
	19	cleanly. -- tiwai ]
	20
	21	Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
	22	Reported-by: Hui Peng <benquike@gmail.com>
	23	Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
	24	Signed-off-by: Hui Peng <benquike@gmail.com>
	25	Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
	26	Cc: <stable@vger.kernel.org>
	27	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	28	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	29
	30	---
	31	sound/usb/card.c \| 5 ++++-
	32	1 file changed, 4 insertions(+), 1 deletion(-)
	33
	34	--- a/sound/usb/card.c
	35	+++ b/sound/usb/card.c
	36	@@ -682,9 +682,12 @@ static int usb_audio_probe(struct usb_in
	37
	38	__error:
	39	if (chip) {
	40	+ /* chip->active is inside the chip->card object,
	41	+ * decrement before memory is possibly returned.
	42	+ */
	43	+ atomic_dec(&chip->active);
	44	if (!chip->num_interfaces)
	45	snd_card_free(chip->card);
	46	- atomic_dec(&chip->active);
	47	}
	48	mutex_unlock(&register_mutex);
	49	return err;