libjack-jackd2-0 double close on a failure to connect to jackd which causes crashes in multithreaded programs

Bug #1833479 reported by Joseph Yasi
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
alsa-plugins (Ubuntu)
Invalid
Undecided
Unassigned
jackd2 (Debian)
Fix Released
Unknown
jackd2 (Ubuntu)
Fix Released
High
Unassigned

Bug Description

After upgrading to Ubuntu 19.04, I started experiencing sporadic crashes in kodi when turning my AV receiver on. Ubuntu 19.04 upgraded alsa-plugins to 1.1.8. For alsa-plugins >= 1.1.7, the ALSA jack plugin is enabled by default in /etc/alsa/conf.d/50-jack.conf.

The crashes are caused by a race condition when kodi's audio engine thread is enumerating the ALSA sound devices, and the udev thread is enumerating the udev devices triggered by the sound device add from turning the AVR on.

When enumerating the ALSA jack plugin device, it tries to connect to connect to jackd. Since I don't have jackd installed, it fails to connect. libjack closes the socket on error, and then closes it again in it's cleanup code. Since it's closing the same file descriptor twice, it interacts with other threads that have potentially opened file descriptors, and causes the crash.

This same bug could potentially affect other multi-threaded programs that enumerate ALSA devices.

Fix committed upstream: https://github.com/jackaudio/jack2/commit/dad4b5702782eef3bd66e3c3f4fefaaae3571208

Tags: focal patch

CVE References

Revision history for this message
Joseph Yasi (joe-yasi) wrote :

See kodi issue with stack traces: https://github.com/xbmc/xbmc/issues/16258

Revision history for this message
Joseph Yasi (joe-yasi) wrote :
information type: Public → Public Security
Revision history for this message
Joseph Yasi (joe-yasi) wrote :

I'm marking this a security bug, since all double close bugs can potentially be security bugs in multithreaded programs depending on the close interleaving.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Set-fSocket-to--1-after-close-on-an-error-to-prevent-a-double-close.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Joseph Yasi (joe-yasi)
description: updated
Mathew Hodson (mhodson)
Changed in jackd2 (Ubuntu):
importance: Undecided → High
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Unsubscribing the Sponsors Team as there is no debdiff to sponsor. Poked the Security Team.

Revision history for this message
Alex Murray (alexmurray) wrote :

From a security point of view, it is best if this issue is fixed not just in Ubuntu but other distributions - and the best way to ensure that is to get a CVE assigned for it. Has a CVE been applied for for this issue? If not, could you please submit one to MITRE and when one is assigned please report it back here https://cveform.mitre.org/ - if one has already been assigned please post the CVE number here.

Revision history for this message
Joseph Yasi (joe-yasi) wrote :

I just requested one and received: CVE-2019-13351

Changed in jackd2 (Ubuntu):
status: New → Confirmed
Changed in jackd2 (Debian):
status: New → Confirmed
Mathew Hodson (mhodson)
Changed in jackd2 (Debian):
importance: Undecided → Unknown
status: Confirmed → Unknown
Mathew Hodson (mhodson)
Changed in jackd2 (Ubuntu):
importance: High → Low
Changed in jackd2 (Debian):
status: Unknown → Confirmed
Revision history for this message
Joseph Yasi (joe-yasi) wrote :

jackd2 released version 1.9.13 which includes this fix.

Revision history for this message
Teeedubb (teeedubb) wrote :

Hi,

I am experiencing the same issue with Kodi 18.5 and Xubuntu 19.10 with similar stack traces to joe-yasi. Is there anyway to install the updated package via Ubuntu updates?

Revision history for this message
Joseph Yasi (joe-yasi) wrote : Re: [Bug 1833479] Re: libjack-jackd2-0 double close on a failure to connect to jackd which causes crashes in multithreaded programs

Can this package get updated to 1.9.13, or at least patched in time for
20.04? The security exploitability of this bug may be low, but the impact
on affected users is high. It causes hard to debug, random crashes of other
programs (e g. Kodi) that are scanning ALSA devices when the jack daemon
isn't even started.

On Wed, Nov 20, 2019, 10:40 PM Teeedubb <email address hidden> wrote:

> Hi,
>
> I am experiencing the same issue with Kodi 18.5 and Xubuntu 19.10 with
> similar stack traces to joe-yasi. Is there anyway to install the updated
> package via Ubuntu updates?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1833479
>
> Title:
> libjack-jackd2-0 double close on a failure to connect to jackd which
> causes crashes in multithreaded programs
>
> Status in jackd2 package in Ubuntu:
> Confirmed
> Status in jackd2 package in Debian:
> Confirmed
>
> Bug description:
> After upgrading to Ubuntu 19.04, I started experiencing sporadic
> crashes in kodi when turning my AV receiver on. Ubuntu 19.04 upgraded
> alsa-plugins to 1.1.8. For alsa-plugins >= 1.1.7, the ALSA jack plugin
> is enabled by default in /etc/alsa/conf.d/50-jack.conf.
>
> The crashes are caused by a race condition when kodi's audio engine
> thread is enumerating the ALSA sound devices, and the udev thread is
> enumerating the udev devices triggered by the sound device add from
> turning the AVR on.
>
> When enumerating the ALSA jack plugin device, it tries to connect to
> connect to jackd. Since I don't have jackd installed, it fails to
> connect. libjack closes the socket on error, and then closes it again
> in it's cleanup code. Since it's closing the same file descriptor
> twice, it interacts with other threads that have potentially opened
> file descriptors, and causes the crash.
>
> This same bug could potentially affect other multi-threaded programs
> that enumerate ALSA devices.
>
> Fix committed upstream:
>
> https://github.com/jackaudio/jack2/commit/dad4b5702782eef3bd66e3c3f4fefaaae3571208
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/jackd2/+bug/1833479/+subscriptions
>

Revision history for this message
Joseph Yasi (joe-yasi) wrote :

I'm marking this as also affects alsa-plugins since that is shipping a jack plugin by default, and this bug is triggered when jack isn't even running. Programs that scan for ALSA devices pick up that jack plugin and trigger the double close.

Revision history for this message
Joseph Yasi (joe-yasi) wrote :

Is this going to make it for focal? This bug causes kodi to crash when turning my TV screen off.

tags: added: focal
Revision history for this message
Joseph Yasi (joe-yasi) wrote :

I currently have the package patched in my PPA to resolve the bug. It is a difficult to debug problem that has been sending users upstream to kodi with bug reports and confusing stack traces. This will get more exposure when focal is released due to the LTS status.

Changed in jackd2 (Ubuntu):
importance: Low → High
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package jackd2 - 1.9.12~dfsg-2ubuntu2

---------------
jackd2 (1.9.12~dfsg-2ubuntu2) focal; urgency=medium

  * debian/patches/CVE-2019-13351.patch:
    - Set fSocket to -1 after close on an error to prevent a double close,
      fix CVE-2019-13351 (lp: #1833479)

 -- Sebastien Bacher <email address hidden> Thu, 16 Apr 2020 10:21:43 +0200

Changed in jackd2 (Ubuntu):
status: Fix Committed → Fix Released
Changed in alsa-plugins (Ubuntu):
status: New → Invalid
Changed in jackd2 (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.