Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4CA2E190.4070807@redhat.com>
Date: Wed, 29 Sep 2010 14:49:52 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request - kernel: prevent heap corruption in snd_ctl_new()

Reported by Dan Rosenberg. The snd_ctl_new() function in 
sound/core/control.c allocates space for a snd_kcontrol struct by 
performing arithmetic operations on a user-provided size without 
checking for integer overflow.  If a user provides a large enough size, 
an overflow will occur, the allocated chunk will be too small, and a 
second user-influenced value will be written repeatedly past the bounds 
of this chunk. This code is reachable by unprivileged users who have 
permission to open a /dev/snd/controlC* device (on many distros, this is 
group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and 
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.

Upstream commit:
http://git.kernel.org/linus/5591bf07225523600450edd9e6ad258bb877b779

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=638478

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.