3.18-stable patches

added patches:
	alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch

diff --git a/queue-3.18/alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch b/queue-3.18/alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch
new file mode 100644 (file)
index 0000000..ad8bc36
--- /dev/null
+++ b/queue-3.18/alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch
@@ -0,0 +1,48 @@
+From erickreyes@google.com  Thu Aug 16 12:07:22 2018
+From: Erick Reyes <erickreyes@google.com>
+Date: Wed, 15 Aug 2018 17:55:48 -0700
+Subject: ALSA: info: Check for integer overflow in snd_info_entry_write()
+To: stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>, kernel-team@android.com, Vinod Koul <vkoul@kernel.org>, Joe Perches <joe@perches.com>, Al Viro <viro@zeniv.linux.org.uk>, alsa-devel@alsa-project.org, Erick Reyes <erickreyes@google.com>, Siqi Lin <siqilin@google.com>
+Message-ID: <20180816005548.151269-1-erickreyes@google.com>
+
+From: Erick Reyes <erickreyes@google.com>
+
+Commit 4adb7bcbcb69 ("ALSA: core: Use seq_file for text proc file
+reads") heavily refactored ALSA procfs and fixed the overflow as
+a side-effect, so this fix only applies to kernels < 4.2 and
+there is no upstream equivalent
+
+snd_info_entry_write() resizes the buffer with an unsigned long
+size argument that gets truncated because resize_info_buffer()
+takes the size parameter as an unsigned int. On 64-bit kernels,
+this causes the following copy_to_user() to write out-of-bounds
+if (pos + count) can't be represented by an unsigned int.
+
+Signed-off-by: Siqi Lin <siqilin@google.com>
+Signed-off-by: Erick Reyes <erickreyes@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/info.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/core/info.c
++++ b/sound/core/info.c
+@@ -253,6 +253,7 @@ static ssize_t snd_info_entry_write(stru
+       struct snd_info_buffer *buf;
+       ssize_t size = 0;
+       loff_t pos;
++      unsigned long realloc_size;
+ 
+       data = file->private_data;
+       if (snd_BUG_ON(!data))
+@@ -261,7 +262,8 @@ static ssize_t snd_info_entry_write(stru
+       pos = *offset;
+       if (pos < 0 || (long) pos != pos || (ssize_t) count < 0)
+               return -EIO;
+-      if ((unsigned long) pos + (unsigned long) count < (unsigned long) pos)
++      realloc_size = (unsigned long) pos + (unsigned long) count;
++      if (realloc_size < (unsigned long) pos || realloc_size > UINT_MAX)
+               return -EIO;
+       switch (entry->content) {
+       case SNDRV_INFO_CONTENT_TEXT:

diff --git a/queue-3.18/series b/queue-3.18/series
index c9c01284993fb931a8a52442ad6c2c00596cde3b..db629cfad418a8883b3139af3aef120fee75000a 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -4,3 +4,4 @@ fix-mntput-mntput-race.patch
 fix-__legitimize_mnt-mntput-race.patch
 arm-dts-imx6sx-fix-irq-for-pcie-bridge.patch
 kprobes-x86-fix-p-uses-in-error-messages.patch
+alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch