Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Sep 2010 15:12:37 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request - kernel: prevent heap corruption
 in snd_ctl_new()

On 09/29/2010 03:01 PM, Marcus Meissner wrote:
> On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote:
>> Reported by Dan Rosenberg. The snd_ctl_new() function in
>> sound/core/control.c allocates space for a snd_kcontrol struct by
>> performing arithmetic operations on a user-provided size without
>> checking for integer overflow.  If a user provides a large enough size,
>> an overflow will occur, the allocated chunk will be too small, and a
>> second user-influenced value will be written repeatedly past the bounds
>> of this chunk. This code is reachable by unprivileged users who have
>> permission to open a /dev/snd/controlC* device (on many distros, this is
>> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and
>> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
>>
>> Upstream commit:
>> http://git.kernel.org/linus/5591bf07225523600450edd9e6ad258bb877b779
>
> Doesnt seem to be valid. There is also no change in sounds/core/control.c
> since April in current mainline git.

Please use this link.

http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.