Bug 1311566 (CVE-2016-2547)

Summary: CVE-2016-2547 kernel: sound: use-after-free in snd_timer_user_ioctl
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, nmurray, pholasek, plougher, rt-maint, rvrbovsk, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-08 11:10:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1288993, 1311573    
Bug Blocks: 1311575    

Description Andrej Nemec 2016-02-24 13:26:59 UTC 
A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too.

Upstream patch:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b5a663aa426f4884c71cd8580adae73f33570f0d

External references:

http://marc.info/?l=linux-kernel&m=145269654327048
https://gist.githubusercontent.com/dvyukov/e833610757b098956b50/raw/d819cd13b466e4adbe3dd825ee481e4512e77633/gistfile1.txt

CVE-ID request and assignment:

http://seclists.org/oss-sec/2016/q1/133

http://seclists.org/oss-sec/2016/q1/410
Comment 1 Josh Boyer 2016-02-24 13:57:34 UTC 
This was fixed in 4.3.5 with:

commit ea7f3d59628930dc29482a292e2a55c81cac52a4
Author: Takashi Iwai <tiwai>
Date:   Thu Jan 14 16:30:58 2016 +0100

    ALSA: timer: Harden slave timer list handling
    
    commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.
    

and in 4.4.1 with:

commit 8eff3aa0a9bbb593dce0ec0344ec1961318e44c8
Author: Takashi Iwai <tiwai>
Date:   Thu Jan 14 16:30:58 2016 +0100

    ALSA: timer: Harden slave timer list handling
    
    commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.

All Fedora branches are on those or newer.  This issue is fixed in Fedora.
Comment 3 Vladis Dronov 2016-03-08 11:10:31 UTC 
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2, as the flaw was already fixed in the products listed.
Comment 4 Vladis Dronov 2016-03-11 17:55:26 UTC 
*** Bug 1311568 has been marked as a duplicate of this bug. ***