Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 23 Feb 2016 15:26:52 +0100
From: Johannes Segitz <jsegitz@...e.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Security bugs in Linux kernel sound subsystem

ping, please have a look

On Tue, Jan 19, 2016 at 09:33:36AM +0100, Johannes Segitz wrote:
> Hi,
> 
> Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been
> triggered by syzkaller fuzzer. These can allow a user to DoS the system.
> 
> Please assign CVEs to the issues listed below. Thanks.
> 
> (the link
> http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA@...l.gmail.com
> is dead, 
> http://www.spinics.net/lists/alsa-devel/msg45102.html should contain the
> information)
> 
> ----- Forwarded message from Takashi Iwai -----
> 
> - NULL dereference via ALSA sequencer access:
>   http://lkml.kernel.org/r/CACT4Y+auYVVmKL37ijBWamQQ7zGKVVFHemyAiELW5DC0Fz7V3g@...l.gmail.com
>   ('sound: GPF in snd_seq_fifo_clear')
> 
>   The fix is on Linus tree,
>   commit 030e2c78d3a91dd0d27fef37e91950dde333eba1
>     ALSA: seq: Fix missing NULL check at remove_events ioctl
> 
> - Race at ALSA sequencer timer setup and close:
>   http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA@...l.gmail.com
>   ('sound: use-after-free in snd_timer_stop')
> 
>   The fix is on Linus tree,
>   commit 3567eb6af614dac436c4b16a8d426f9faed639b3
>     ALSA: seq: Fix race at timer setup and close
> 
> - Race among ALSA timer ioctls:
>   this is triggered by a few different fuzzer cases, and involved with
>   multiple fix commits.
> 
>   http://lkml.kernel.org/r/CACT4Y+ZrVvE3dgcYHRdHDG0X316VgC-=pr2U-233vVn_QbHZHw@...l.gmail.com
>   ('sound: use-after-free in snd_timer_interrupt')
> 
>   http://lkml.kernel.org/r/CACT4Y+bC5FMVFuk1VcqVtMyqvDyeKN4NrdxV+5eX93_Zr8L63Q@...l.gmail.com
>   ('sound: GPF in snd_timer_user_params')
> 
>   http://lkml.kernel.org/r/CACT4Y+akV9XyDC_kmBQZV-26Py13E6sYASXaP4GKLNbRh6nZnA@...l.gmail.com
>   ('sound: use-after-free in snd_timer_user_ioctl')
> 
>   The fixes are the following commits on Linus tree,
>   ee8413b01045c74340aa13ad5bdf905de32be736
>     ALSA: timer: Fix double unlink of active_list
> 
>   af368027a49a751d6ff4ee9e3f9961f35bb4fede
>     ALSA: timer: Fix race among timer ioctls
> 
>   b5a663aa426f4884c71cd8580adae73f33570f0d
>     ALSA: timer: Harden slave timer list handling
> 
> - Deadlock at ALSA hrtimer concurrent accesses:
>   http://lkml.kernel.org/r/CACT4Y+a3YzyNbgeeg2Dr2dDcUtP+=D6DxQ7Dkjn-+rEXEAP5vw@...l.gmail.com
>   ('sound: spinlock lockup in sound/core/timer.c')
> 
>   Further tracked at the thread
>   http://lkml.kernel.org/r/CACT4Y+YPVUCTenSZjLfMf08NHJm1u3--Qm6a32oTdCmxUGkC0Q@...l.gmail.com
> 
>   The fix is in sound git tree for-linus branch, will send a pull
>   request in a couple of days:
>   git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
>   
>   commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3
>     ALSA: hrtimer: Fix stall by hrtimer_cancel()
> 
> 
> ----- End forwarded message -----
> 
> Johannes
> -- 
> GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
> Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
> HRB 21284 (AG Nürnberg)

Johannes
-- 
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ