Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 29 Sep 2010 14:49:52 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request - kernel: prevent heap corruption in snd_ctl_new()

Reported by Dan Rosenberg. The snd_ctl_new() function in 
sound/core/control.c allocates space for a snd_kcontrol struct by 
performing arithmetic operations on a user-provided size without 
checking for integer overflow.  If a user provides a large enough size, 
an overflow will occur, the allocated chunk will be too small, and a 
second user-influenced value will be written repeatedly past the bounds 
of this chunk. This code is reachable by unprivileged users who have 
permission to open a /dev/snd/controlC* device (on many distros, this is 
group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and 
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.

Upstream commit:
http://git.kernel.org/linus/5591bf07225523600450edd9e6ad258bb877b779

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=638478

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ