Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 09:33:36 +0100
From: Johannes Segitz <>
Subject: Security bugs in Linux kernel sound subsystem


Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been
triggered by syzkaller fuzzer. These can allow a user to DoS the system.

Please assign CVEs to the issues listed below. Thanks.

(the link
is dead, should contain the

----- Forwarded message from Takashi Iwai -----

- NULL dereference via ALSA sequencer access:
  ('sound: GPF in snd_seq_fifo_clear')

  The fix is on Linus tree,
  commit 030e2c78d3a91dd0d27fef37e91950dde333eba1
    ALSA: seq: Fix missing NULL check at remove_events ioctl

- Race at ALSA sequencer timer setup and close:
  ('sound: use-after-free in snd_timer_stop')

  The fix is on Linus tree,
  commit 3567eb6af614dac436c4b16a8d426f9faed639b3
    ALSA: seq: Fix race at timer setup and close

- Race among ALSA timer ioctls:
  this is triggered by a few different fuzzer cases, and involved with
  multiple fix commits.
  ('sound: use-after-free in snd_timer_interrupt')
  ('sound: GPF in snd_timer_user_params')
  ('sound: use-after-free in snd_timer_user_ioctl')

  The fixes are the following commits on Linus tree,
    ALSA: timer: Fix double unlink of active_list

    ALSA: timer: Fix race among timer ioctls

    ALSA: timer: Harden slave timer list handling

- Deadlock at ALSA hrtimer concurrent accesses:
  ('sound: spinlock lockup in sound/core/timer.c')

  Further tracked at the thread

  The fix is in sound git tree for-linus branch, will send a pull
  request in a couple of days:
  commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3
    ALSA: hrtimer: Fix stall by hrtimer_cancel()

----- End forwarded message -----

GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton
HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ