4.13.7-100.fc25.gnu

5 files changed, 159 insertions, 8 deletions

diff --git a/freed-ora/current/f25/0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch b/freed-ora/current/f25/0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
new file mode 100644
index 000000000..d04add8aa
--- /dev/null
+++ b/freed-ora/current/f25/0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
@@ -0,0 +1,140 @@
+From 71105998845fb012937332fe2e806d443c09e026 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Oct 2017 11:09:20 +0200
+Subject: [PATCH] ALSA: seq: Fix use-after-free at creating a port
+
+There is a potential race window opened at creating and deleting a
+port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
+a port object and returns its pointer, but it doesn't take the
+refcount, thus it can be deleted immediately by another thread.
+Meanwhile, snd_seq_ioctl_create_port() still calls the function
+snd_seq_system_client_ev_port_start() with the created port object
+that is being deleted, and this triggers use-after-free like:
+
+ BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
+ =============================================================================
+ BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
+ -----------------------------------------------------------------------------
+ INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
+ 	___slab_alloc+0x425/0x460
+ 	__slab_alloc+0x20/0x40
+  	kmem_cache_alloc_trace+0x150/0x190
+	snd_seq_create_port+0x94/0x9b0 [snd_seq]
+	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
+ 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+ 	snd_seq_ioctl+0x40/0x80 [snd_seq]
+ 	do_vfs_ioctl+0x54b/0xda0
+ 	SyS_ioctl+0x79/0x90
+ 	entry_SYSCALL_64_fastpath+0x16/0x75
+ INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
+ 	__slab_free+0x204/0x310
+ 	kfree+0x15f/0x180
+ 	port_delete+0x136/0x1a0 [snd_seq]
+ 	snd_seq_delete_port+0x235/0x350 [snd_seq]
+ 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
+ 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+ 	snd_seq_ioctl+0x40/0x80 [snd_seq]
+ 	do_vfs_ioctl+0x54b/0xda0
+ 	SyS_ioctl+0x79/0x90
+ 	entry_SYSCALL_64_fastpath+0x16/0x75
+ Call Trace:
+  [<ffffffff81b03781>] dump_stack+0x63/0x82
+  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
+  [<ffffffff81536db4>] object_err+0x34/0x40
+  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
+  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
+  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
+  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
+  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
+  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
+  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
+  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
+  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
+  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
+  .....
+
+We may fix this in a few different ways, and in this patch, it's fixed
+simply by taking the refcount properly at snd_seq_create_port() and
+letting the caller unref the object after use.  Also, there is another
+potential use-after-free by sprintf() call in snd_seq_create_port(),
+and this is moved inside the lock.
+
+This fix covers CVE-2017-15265.
+
+Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/seq/seq_clientmgr.c | 6 +++++-
+ sound/core/seq/seq_ports.c     | 7 +++++--
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index ea2d0ae85bd3..6c9cba2166d9 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
+ 	struct snd_seq_port_info *info = arg;
+ 	struct snd_seq_client_port *port;
+ 	struct snd_seq_port_callback *callback;
++	int port_idx;
+
+ 	/* it is not allowed to create the port for an another client */
+ 	if (info->addr.client != client->number)
+@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
+ 		return -ENOMEM;
+
+ 	if (client->type == USER_CLIENT && info->kernel) {
+-		snd_seq_delete_port(client, port->addr.port);
++		port_idx = port->addr.port;
++		snd_seq_port_unlock(port);
++		snd_seq_delete_port(client, port_idx);
+ 		return -EINVAL;
+ 	}
+ 	if (client->type == KERNEL_CLIENT) {
+@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg)
+
+ 	snd_seq_set_port_info(port, info);
+ 	snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port);
++	snd_seq_port_unlock(port);
+
+ 	return 0;
+ }
+diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
+index 0a7020c82bfc..d21ece9f8d73 100644
+--- a/sound/core/seq/seq_ports.c
++++ b/sound/core/seq/seq_ports.c
+@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp)
+ }
+
+
+-/* create a port, port number is returned (-1 on failure) */
++/* create a port, port number is returned (-1 on failure);
++ * the caller needs to unref the port via snd_seq_port_unlock() appropriately
++ */
+ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
+ 						int port)
+ {
+@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
+ 	snd_use_lock_init(&new_port->use_lock);
+ 	port_subs_info_init(&new_port->c_src);
+ 	port_subs_info_init(&new_port->c_dest);
++	snd_use_lock_use(&new_port->use_lock);
+
+ 	num = port >= 0 ? port : 0;
+ 	mutex_lock(&client->ports_mutex);
+@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client,
+ 	list_add_tail(&new_port->list, &p->list);
+ 	client->num_ports++;
+ 	new_port->addr.port = num;	/* store the port number in the port */
++	sprintf(new_port->name, "port-%d", num);
+ 	write_unlock_irqrestore(&client->ports_lock, flags);
+ 	mutex_unlock(&client->ports_mutex);
+-	sprintf(new_port->name, "port-%d", num);
+
+ 	return new_port;
+ }
+-- 
+2.13.5
+
diff --git a/freed-ora/current/f25/kernel.spec b/freed-ora/current/f25/kernel.spec
index aae2d27b7..5be38263e 100644
--- a/freed-ora/current/f25/kernel.spec
+++ b/freed-ora/current/f25/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 6
+%define stable_update 7
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -736,6 +736,9 @@ Patch630: Input-synaptics---Disable-kernel-tracking-on-SMBus-devices.patch
 # Headed upstream
 Patch631: drm-i915-boost-GPU-clocks-if-we-miss-the-pageflip.patch
 
+# CVE-2017-15265 rhbz 1501878 1501880
+Patch633: 0001-ALSA-seq-Fix-use-after-free-at-creating-a-port.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2406,6 +2409,14 @@ fi
 #
 #
 %changelog
+* Mon Oct 16 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.13.7-gnu.
+
+* Mon Oct 16 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.13.7-100
+- Linux v4.13.7
+- Fixes CVE-2017-5123 (rhbz 1500094 1501762)
+- Fix CVE-2017-15265 (rhbz 1501878 1501880)
+
 * Fri Oct 13 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.13.6-gnu.
 
diff --git a/freed-ora/current/f25/patch-4.13-gnu-4.13.6-gnu.xz.sign b/freed-ora/current/f25/patch-4.13-gnu-4.13.6-gnu.xz.sign
deleted file mode 100644
index 8c03569c3..000000000
--- a/freed-ora/current/f25/patch-4.13-gnu-4.13.6-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWeAThgAKCRC8t8+Hfn1H
-p2nMAKCOE+g9dOiE+VxT2210LlcFmnU04QCgnMfMIvQfYGJ8090BKIkYuR5dAB4=
-=uYEY
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f25/patch-4.13-gnu-4.13.7-gnu.xz.sign b/freed-ora/current/f25/patch-4.13-gnu-4.13.7-gnu.xz.sign
new file mode 100644
index 000000000..de6e33bd6
--- /dev/null
+++ b/freed-ora/current/f25/patch-4.13-gnu-4.13.7-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWeJnRgAKCRC8t8+Hfn1H
+pwpsAJ44IvYXOCIlLoqL1fgv9foU0ntwkQCgma6Yq/LpH1UT479xLR/7DuGbfhw=
+=+YX7
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f25/sources b/freed-ora/current/f25/sources
index 5e21b45cd..9d3f6dadb 100644
--- a/freed-ora/current/f25/sources
+++ b/freed-ora/current/f25/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.13-gnu.tar.xz) = 9ad6866c68f29f7e4f8b53d0b857f9b3c7f6abd0054460675c76f3100db34a77c2777d7f4191831008b532cb2ab6f686d8c4f457a4d005226c73f90937963518
 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03
-SHA512 (patch-4.13-gnu-4.13.6-gnu.xz) = f5d706c9c494e64ab902da3487e3b1495c2ca2630c4a8a6303d32a8ffee61ddf98425790d6a0cb5ab471cddceaf0e026e4dfe6264729df1ffa18942bd8037b38
+SHA512 (patch-4.13-gnu-4.13.7-gnu.xz) = da3eeff6c82ac7a471f40d81c9259a11ac5671368c7caa8da81a2ef3f0a82341415513689c282963fc2a8b9278b190f4e9856bb06c2506c648807f6ff9264299