Date: Thu, 26 Jun 2014 01:52:26 -0400 (EDT) From: cve-assign@...re.org To: meissner@...e.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Linux kernel ALSA core control API vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 > ALSA: control: Protect user controls against concurrent access > The user-control put and get handlers as well as the tlv do not > protect against concurrent access from multiple threads. Since the > state of the control is not updated atomically it is possible that > either two write operations or a write and a read operation race > against each other. Both can lead to arbitrary memory disclosure. > (aka "The first issue is a race conditions in the user-control put/get > and tlv handlers" ... "first affected release is v2.6.18") Use CVE-2014-4652. > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=fd9f26e4eca5d08a27d12c0933fceef76ed9663d > ALSA: control: Don't access controls outside of protected regions > A control that is visible on the card->controls list can be freed at > any time. This means we must not access any of its memory while not > holding the controls_rw_lock. Otherwise we risk a use after free > access. > (aka "There are a couple of places where a kcontrol is de-referenced > after controls_rwsem has been released" ... "first affected release > predates the git history") Use CVE-2014-4653. > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=82262a46627bebb0febcc26664746c25cef08563 > ALSA: control: Fix replacing user controls > The first is that the code does not check if the control is actually a > user control and neither does it check if the control is owned by the > process that tries to remove it. That allows userspace applications to > remove arbitrary controls, which can cause a user after free > (aka "The next issue is that SNDRV_CTL_IOCTL_ELEM_REPLACE does no > permission checking on the control that is to be replaced. This allows > a application to remove controls that were created by the kernel > driver and also controls that are locked by other applications." ... > "first affected release predates the git history") Use CVE-2014-4654. > The second issue is that on one hand when a control is replaced the > user_ctl_count limit is not checked and on the other hand the > user_ctl_count is increased (even though the number of user controls > does not change). This allows userspace, once the user_ctl_count limit > as been reached, to repeatedly replace a control until user_ctl_count > overflows. > (aka "SNDRV_CTL_IOCTL_ELEM_REPLACE also gets the user_ctl_count > handling wrong" ... "first affected release predates the git history") Use CVE-2014-4655. [ in other words, two different CVE IDs for the 82262a46627bebb0febcc26664746c25cef08563 commit ] > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=883a1d49f0d77d30012f114b2e19fc141beb3e8e > ALSA: control: Make sure that id->index does not overflow > if (id.index > UINT_MAX - kcontrol->count) > goto error; > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=ac902c112d90a89e59916f751c2745f4dbdbb4bd > ALSA: control: Handle numid overflow > if (card->last_numid >= UINT_MAX - count) > card->last_numid = 0; > (aka "The last two issues are overflows of id.index and id.numid" ... > "first affected release predates the git history") Use CVE-2014-4656. [ in other words, a single CVE ID for both the 883a1d49f0d77d30012f114b2e19fc141beb3e8e and ac902c112d90a89e59916f751c2745f4dbdbb4bd commits ] - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTq7SSAAoJEKllVAevmvmsWqcH+wZvqFs9w+jOaeImZ29/XWbX lEnH70xDxS81Bp0MAst5Ve4w1sH5neTC1K97x8cpmXvgBmYdiTtAnB+EzidrStin 1WKBSfAc4jx/Xt7FWwXgWSzCVGxotVGpk74MP4l/bpoOqFhXO5wQSGjGOEvX0qaF oVlep0ftGTVowoamTznrDnIEhVtdCBgymrHSSoz3LfSIHVBVqIt7WdFOcfXW4/aa lcPAG42sfoaQRPwE9VOIl7yVouMjHOBq4LFyamSXN2D8it3OrszQi1aayTWw/Fwo cASkfa+OtNPPJobRgzQFRellzsbfvmVlWOy7n54rQNUcG/N7P7a8kNHL5qU2Br4= =kz9h -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ