Patch "ALSA: bcd2000: Fix a UAF bug on the error path of probing" has been added to the 4.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 13 Aug 2022 19:13:42 -0400

This is a note to let you know that I've just added the patch titled

    ALSA: bcd2000: Fix a UAF bug on the error path of probing

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 417b02292c38ad7837cc70a12c419eed2230ca3c
Author: Zheyu Ma <zheyuma97@xxxxxxxxx>
Date:   Fri Jul 15 09:05:15 2022 +0800

    ALSA: bcd2000: Fix a UAF bug on the error path of probing
    
    commit ffb2759df7efbc00187bfd9d1072434a13a54139 upstream.
    
    When the driver fails in snd_card_register() at probe time, it will free
    the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.
    
    The following log can reveal it:
    
    [   50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
    [   50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
    [   50.729530] Call Trace:
    [   50.732899]  bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
    
    Fix this by adding usb_kill_urb() before usb_free_urb().
    
    Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device")
    Signed-off-by: Zheyu Ma <zheyuma97@xxxxxxxxx>
    Cc: <stable@xxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220715010515.2087925-1-zheyuma97@xxxxxxxxx
    Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c
index d060dddcc52d..379bdf26e985 100644
--- a/sound/usb/bcd2000/bcd2000.c
+++ b/sound/usb/bcd2000/bcd2000.c
@@ -350,7 +350,8 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k)
 static void bcd2000_free_usb_related_resources(struct bcd2000 *bcd2k,
 						struct usb_interface *interface)
 {
-	/* usb_kill_urb not necessary, urb is aborted automatically */
+	usb_kill_urb(bcd2k->midi_out_urb);
+	usb_kill_urb(bcd2k->midi_in_urb);
 
 	usb_free_urb(bcd2k->midi_out_urb);
 	usb_free_urb(bcd2k->midi_in_urb);






