Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100929070115.GB22643@suse.de>
Date: Wed, 29 Sep 2010 09:01:15 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request - kernel: prevent heap corruption in snd_ctl_new()

On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote:
> Reported by Dan Rosenberg. The snd_ctl_new() function in 
> sound/core/control.c allocates space for a snd_kcontrol struct by 
> performing arithmetic operations on a user-provided size without 
> checking for integer overflow.  If a user provides a large enough size, 
> an overflow will occur, the allocated chunk will be too small, and a 
> second user-influenced value will be written repeatedly past the bounds 
> of this chunk. This code is reachable by unprivileged users who have 
> permission to open a /dev/snd/controlC* device (on many distros, this is 
> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and 
> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
> 
> Upstream commit:
> http://git.kernel.org/linus/5591bf07225523600450edd9e6ad258bb877b779

Doesnt seem to be valid. There is also no change in sounds/core/control.c
since April in current mainline git.
 
Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.