Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Sep 2010 14:22:16 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Marcus Meissner <meissner@...e.de>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request - kernel: prevent heap corruption in
 snd_ctl_new()

Please use CVE-2010-3442

Thanks.

-- 
    JB


----- "Eugene Teo" <eugene@...hat.com> wrote:

> On 09/29/2010 03:01 PM, Marcus Meissner wrote:
> > On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote:
> >> Reported by Dan Rosenberg. The snd_ctl_new() function in
> >> sound/core/control.c allocates space for a snd_kcontrol struct by
> >> performing arithmetic operations on a user-provided size without
> >> checking for integer overflow.  If a user provides a large enough
> size,
> >> an overflow will occur, the allocated chunk will be too small, and
> a
> >> second user-influenced value will be written repeatedly past the
> bounds
> >> of this chunk. This code is reachable by unprivileged users who
> have
> >> permission to open a /dev/snd/controlC* device (on many distros,
> this is
> >> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and
> >> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
> >>
> >> Upstream commit:
> >>
> http://git.kernel.org/linus/5591bf07225523600450edd9e6ad258bb877b779
> >
> > Doesnt seem to be valid. There is also no change in
> sounds/core/control.c
> > since April in current mainline git.
> 
> Please use this link.
> 
> http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779
> 
> Eugene
> -- 
> main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i);
> }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.