Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 09:33:36 +0100
From: Johannes Segitz <jsegitz@...e.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Security bugs in Linux kernel sound subsystem

Hi,

Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been
triggered by syzkaller fuzzer. These can allow a user to DoS the system.

Please assign CVEs to the issues listed below. Thanks.

(the link
http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA@...l.gmail.com
is dead, 
http://www.spinics.net/lists/alsa-devel/msg45102.html should contain the
information)

----- Forwarded message from Takashi Iwai -----

- NULL dereference via ALSA sequencer access:
  http://lkml.kernel.org/r/CACT4Y+auYVVmKL37ijBWamQQ7zGKVVFHemyAiELW5DC0Fz7V3g@...l.gmail.com
  ('sound: GPF in snd_seq_fifo_clear')

  The fix is on Linus tree,
  commit 030e2c78d3a91dd0d27fef37e91950dde333eba1
    ALSA: seq: Fix missing NULL check at remove_events ioctl

- Race at ALSA sequencer timer setup and close:
  http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA@...l.gmail.com
  ('sound: use-after-free in snd_timer_stop')

  The fix is on Linus tree,
  commit 3567eb6af614dac436c4b16a8d426f9faed639b3
    ALSA: seq: Fix race at timer setup and close

- Race among ALSA timer ioctls:
  this is triggered by a few different fuzzer cases, and involved with
  multiple fix commits.

  http://lkml.kernel.org/r/CACT4Y+ZrVvE3dgcYHRdHDG0X316VgC-=pr2U-233vVn_QbHZHw@...l.gmail.com
  ('sound: use-after-free in snd_timer_interrupt')

  http://lkml.kernel.org/r/CACT4Y+bC5FMVFuk1VcqVtMyqvDyeKN4NrdxV+5eX93_Zr8L63Q@...l.gmail.com
  ('sound: GPF in snd_timer_user_params')

  http://lkml.kernel.org/r/CACT4Y+akV9XyDC_kmBQZV-26Py13E6sYASXaP4GKLNbRh6nZnA@...l.gmail.com
  ('sound: use-after-free in snd_timer_user_ioctl')

  The fixes are the following commits on Linus tree,
  ee8413b01045c74340aa13ad5bdf905de32be736
    ALSA: timer: Fix double unlink of active_list

  af368027a49a751d6ff4ee9e3f9961f35bb4fede
    ALSA: timer: Fix race among timer ioctls

  b5a663aa426f4884c71cd8580adae73f33570f0d
    ALSA: timer: Harden slave timer list handling

- Deadlock at ALSA hrtimer concurrent accesses:
  http://lkml.kernel.org/r/CACT4Y+a3YzyNbgeeg2Dr2dDcUtP+=D6DxQ7Dkjn-+rEXEAP5vw@...l.gmail.com
  ('sound: spinlock lockup in sound/core/timer.c')

  Further tracked at the thread
  http://lkml.kernel.org/r/CACT4Y+YPVUCTenSZjLfMf08NHJm1u3--Qm6a32oTdCmxUGkC0Q@...l.gmail.com

  The fix is in sound git tree for-linus branch, will send a pull
  request in a couple of days:
  git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
  
  commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3
    ALSA: hrtimer: Fix stall by hrtimer_cancel()


----- End forwarded message -----

Johannes
-- 
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ