oss-sec mailing list archives
CVE request: PulseAudio crash due to empty UDP packet
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Wed, 04 Jun 2014 14:40:02 +0600
Hello.If one has module-rtp-recv loaded into PulseAudio, then a remote attacker can crash this instance of PulseAudio by sending an empty UDP packet to the multicast address where module-rtp-recv has decided to receive the stream due to a previous SAP/SDP announcement.
When PulseAudio crashes, it says to the log:E: [alsa-sink-ALC275 Analog] memblock.c: Assertion 'b' failed at .../pulseaudio-5.0/src/pulsecore/memblock.c:596, function pa_memblock_unref(). Aborting.
So this doesn't look exploitable - just a DoS attack, and PulseAudio usually gets respawned anyway.
The problem has been reported upstream, but got no response yet: http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.htmlThe problematic code is in the pa_rtp_recv() function, in the handling of the result of the FIONREAD ioctl. It existed since the introduction of the module, i.e. since 2006-04-16 (git commit f1ddf0523), which is before version 1.0.
The problem I found is that the function just returns immediately, without even attempting to read the zero-sized packet. I don't know how this later leads to the failed assertion.
http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/modules/rtp/rtp.c#n185A patch has been sent, but not reviewed and thus not accepted, and thus the problem still exists in git master:
http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020741.htmlI have also tested SAP/SDP handling for the same type of vulnerability, but PulseAudio survived an empty UDP packet there just fine.
-- Alexander E. Patrakov
Current thread:
- CVE request: PulseAudio crash due to empty UDP packet Alexander E. Patrakov (Jun 04)
- Re: CVE request: PulseAudio crash due to empty UDP packet cve-assign (Jun 04)
- Re: CVE request: PulseAudio crash due to empty UDP packet Alexander E. Patrakov (Jun 04)
- Re: CVE request: PulseAudio crash due to empty UDP packet cve-assign (Jun 04)