|
Message-ID: <20160223142652.GG4714@suse.de>
Date: Tue, 23 Feb 2016 15:26:52 +0100
From: Johannes Segitz <jsegitz@...e.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Security bugs in Linux kernel sound subsystem
ping, please have a look
On Tue, Jan 19, 2016 at 09:33:36AM +0100, Johannes Segitz wrote:
> Hi,
>
> Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been
> triggered by syzkaller fuzzer. These can allow a user to DoS the system.
>
> Please assign CVEs to the issues listed below. Thanks.
>
> (the link
> http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA@mail.gmail.com
> is dead,
> http://www.spinics.net/lists/alsa-devel/msg45102.html should contain the
> information)
>
> ----- Forwarded message from Takashi Iwai -----
>
> - NULL dereference via ALSA sequencer access:
> http://lkml.kernel.org/r/CACT4Y+auYVVmKL37ijBWamQQ7zGKVVFHemyAiELW5DC0Fz7V3g@mail.gmail.com
> ('sound: GPF in snd_seq_fifo_clear')
>
> The fix is on Linus tree,
> commit 030e2c78d3a91dd0d27fef37e91950dde333eba1
> ALSA: seq: Fix missing NULL check at remove_events ioctl
>
> - Race at ALSA sequencer timer setup and close:
> http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA@mail.gmail.com
> ('sound: use-after-free in snd_timer_stop')
>
> The fix is on Linus tree,
> commit 3567eb6af614dac436c4b16a8d426f9faed639b3
> ALSA: seq: Fix race at timer setup and close
>
> - Race among ALSA timer ioctls:
> this is triggered by a few different fuzzer cases, and involved with
> multiple fix commits.
>
> http://lkml.kernel.org/r/CACT4Y+ZrVvE3dgcYHRdHDG0X316VgC-=pr2U-233vVn_QbHZHw@mail.gmail.com
> ('sound: use-after-free in snd_timer_interrupt')
>
> http://lkml.kernel.org/r/CACT4Y+bC5FMVFuk1VcqVtMyqvDyeKN4NrdxV+5eX93_Zr8L63Q@mail.gmail.com
> ('sound: GPF in snd_timer_user_params')
>
> http://lkml.kernel.org/r/CACT4Y+akV9XyDC_kmBQZV-26Py13E6sYASXaP4GKLNbRh6nZnA@mail.gmail.com
> ('sound: use-after-free in snd_timer_user_ioctl')
>
> The fixes are the following commits on Linus tree,
> ee8413b01045c74340aa13ad5bdf905de32be736
> ALSA: timer: Fix double unlink of active_list
>
> af368027a49a751d6ff4ee9e3f9961f35bb4fede
> ALSA: timer: Fix race among timer ioctls
>
> b5a663aa426f4884c71cd8580adae73f33570f0d
> ALSA: timer: Harden slave timer list handling
>
> - Deadlock at ALSA hrtimer concurrent accesses:
> http://lkml.kernel.org/r/CACT4Y+a3YzyNbgeeg2Dr2dDcUtP+=D6DxQ7Dkjn-+rEXEAP5vw@mail.gmail.com
> ('sound: spinlock lockup in sound/core/timer.c')
>
> Further tracked at the thread
> http://lkml.kernel.org/r/CACT4Y+YPVUCTenSZjLfMf08NHJm1u3--Qm6a32oTdCmxUGkC0Q@mail.gmail.com
>
> The fix is in sound git tree for-linus branch, will send a pull
> request in a couple of days:
> git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
>
> commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3
> ALSA: hrtimer: Fix stall by hrtimer_cancel()
>
>
> ----- End forwarded message -----
>
> Johannes
> --
> GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
> Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
> HRB 21284 (AG Nürnberg)
Johannes
--
GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.