ASA-2018-00068 – Linux kernel: Use-after-free in usb_audio_probe()

Allele Security Alert

ASA-2018-00068

Identifier(s)

ASA-2018-00068, CVE-2018-19824

Title

Use-after-free in usb_audio_probe()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 4.20

Linux kernel versions before 4.9.145
Linux kernel versions before 4.19.9
Linux kernel versions before 4.14.88
Linux kernel versions before 4.4.167
Linux kernel versions before 3.16.63

Fixed version(s)

Linux kernel version 4.20

Linux kernel version 4.9.145
Linux kernel version 4.19.9
Linux kernel version 4.14.88
Linux kernel version 4.4.167
Linux kernel version 3.16.63

Proof of concept

Unknown

Description

There is a use-after-free vulnerability in usb_audio_probe(). This function accesses a freed object when decrementing its reference counter. The attacker needs local access to plug in a malicious USB device in order to exploit the vulnerability.

Technical details

If a USB sound card reports 0 interface, an error condition is triggered and the function usb_audio_probe() errors out. In the error path, there was a use-after-free vulnerability where the memory object of the card was first freed, followed by a decrement of the number of active chips.

File: sound/usb/card.c
---
 __error:
if (chip) {
+ /* chip->active is inside the chip->card object,
+ * decrement before memory is possibly returned.
+ */
+ atomic_dec(&chip->active);
if (!chip->num_interfaces)
snd_card_free(chip->card);
- atomic_dec(&chip->active);
}
mutex_unlock(&register_mutex);
return err;
---

Credits

Mathias Payer

Reference(s)

UAF write in usb_audio_probe
https://seclists.org/oss-sec/2018/q4/197

ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
https://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git/commit/?id=5f8cf712582617d523120df67d392059eaf2fc4b

ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
https://github.com/torvalds/linux/commit/5f8cf712582617d523120df67d392059eaf2fc4b

ChangeLog-4.9.145
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.145

ChangeLog-4.19.9
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.9

ChangeLog-4.14.88
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.88

ChangeLog-4.4.167
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.167

ChangeLog-3.16.63
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.63

ChangeLog-4.20
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20

CVE-2018-19824 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-19824

CVE-2018-19824 | SUSE
https://www.suse.com/security/cve/CVE-2018-19824

CVE-2018-19824
https://security-tracker.debian.org/tracker/CVE-2018-19824

CVE-2018-19824 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19824.html

CVE-2018-19824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19824

CVE-2018-19824
https://nvd.nist.gov/vuln/detail/CVE-2018-19824

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.