Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 09:33:36 +0100
From: Johannes Segitz <jsegitz@...e.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Security bugs in Linux kernel sound subsystem

Hi,

Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been
triggered by syzkaller fuzzer. These can allow a user to DoS the system.

Please assign CVEs to the issues listed below. Thanks.

(the link
http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA@mail.gmail.com
is dead, 
http://www.spinics.net/lists/alsa-devel/msg45102.html should contain the
information)

----- Forwarded message from Takashi Iwai -----

- NULL dereference via ALSA sequencer access:
  http://lkml.kernel.org/r/CACT4Y+auYVVmKL37ijBWamQQ7zGKVVFHemyAiELW5DC0Fz7V3g@mail.gmail.com
  ('sound: GPF in snd_seq_fifo_clear')

  The fix is on Linus tree,
  commit 030e2c78d3a91dd0d27fef37e91950dde333eba1
    ALSA: seq: Fix missing NULL check at remove_events ioctl

- Race at ALSA sequencer timer setup and close:
  http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA@mail.gmail.com
  ('sound: use-after-free in snd_timer_stop')

  The fix is on Linus tree,
  commit 3567eb6af614dac436c4b16a8d426f9faed639b3
    ALSA: seq: Fix race at timer setup and close

- Race among ALSA timer ioctls:
  this is triggered by a few different fuzzer cases, and involved with
  multiple fix commits.

  http://lkml.kernel.org/r/CACT4Y+ZrVvE3dgcYHRdHDG0X316VgC-=pr2U-233vVn_QbHZHw@mail.gmail.com
  ('sound: use-after-free in snd_timer_interrupt')

  http://lkml.kernel.org/r/CACT4Y+bC5FMVFuk1VcqVtMyqvDyeKN4NrdxV+5eX93_Zr8L63Q@mail.gmail.com
  ('sound: GPF in snd_timer_user_params')

  http://lkml.kernel.org/r/CACT4Y+akV9XyDC_kmBQZV-26Py13E6sYASXaP4GKLNbRh6nZnA@mail.gmail.com
  ('sound: use-after-free in snd_timer_user_ioctl')

  The fixes are the following commits on Linus tree,
  ee8413b01045c74340aa13ad5bdf905de32be736
    ALSA: timer: Fix double unlink of active_list

  af368027a49a751d6ff4ee9e3f9961f35bb4fede
    ALSA: timer: Fix race among timer ioctls

  b5a663aa426f4884c71cd8580adae73f33570f0d
    ALSA: timer: Harden slave timer list handling

- Deadlock at ALSA hrtimer concurrent accesses:
  http://lkml.kernel.org/r/CACT4Y+a3YzyNbgeeg2Dr2dDcUtP+=D6DxQ7Dkjn-+rEXEAP5vw@mail.gmail.com
  ('sound: spinlock lockup in sound/core/timer.c')

  Further tracked at the thread
  http://lkml.kernel.org/r/CACT4Y+YPVUCTenSZjLfMf08NHJm1u3--Qm6a32oTdCmxUGkC0Q@mail.gmail.com

  The fix is in sound git tree for-linus branch, will send a pull
  request in a couple of days:
  git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
  
  commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3
    ALSA: hrtimer: Fix stall by hrtimer_cancel()


----- End forwarded message -----

Johannes
-- 
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton
HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.