Date: Wed, 04 Jun 2014 14:40:02 +0600 From: "Alexander E. Patrakov" <patrakov@...il.com> To: oss-security@...ts.openwall.com Subject: CVE request: PulseAudio crash due to empty UDP packet Hello. If one has module-rtp-recv loaded into PulseAudio, then a remote attacker can crash this instance of PulseAudio by sending an empty UDP packet to the multicast address where module-rtp-recv has decided to receive the stream due to a previous SAP/SDP announcement. When PulseAudio crashes, it says to the log: E: [alsa-sink-ALC275 Analog] memblock.c: Assertion 'b' failed at .../pulseaudio-5.0/src/pulsecore/memblock.c:596, function pa_memblock_unref(). Aborting. So this doesn't look exploitable - just a DoS attack, and PulseAudio usually gets respawned anyway. The problem has been reported upstream, but got no response yet: http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html The problematic code is in the pa_rtp_recv() function, in the handling of the result of the FIONREAD ioctl. It existed since the introduction of the module, i.e. since 2006-04-16 (git commit f1ddf0523), which is before version 1.0. The problem I found is that the function just returns immediately, without even attempting to read the zero-sized packet. I don't know how this later leads to the failed assertion. http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/modules/rtp/rtp.c#n185 A patch has been sent, but not reviewed and thus not accepted, and thus the problem still exists in git master: http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020741.html I have also tested SAP/SDP handling for the same type of vulnerability, but PulseAudio survived an empty UDP packet there just fine. -- Alexander E. Patrakov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ