oss-sec mailing list archives

Re: Security bugs in Linux kernel sound subsystem

From: Johannes Segitz <jsegitz () suse com>
Date: Tue, 23 Feb 2016 15:26:52 +0100

ping, please have a look

On Tue, Jan 19, 2016 at 09:33:36AM +0100, Johannes Segitz wrote:

Hi,

Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been
triggered by syzkaller fuzzer. These can allow a user to DoS the system.

Please assign CVEs to the issues listed below. Thanks.

(the link
http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA () mail gmail com
is dead, 
http://www.spinics.net/lists/alsa-devel/msg45102.html should contain the
information)

----- Forwarded message from Takashi Iwai -----

- NULL dereference via ALSA sequencer access:
  http://lkml.kernel.org/r/CACT4Y+auYVVmKL37ijBWamQQ7zGKVVFHemyAiELW5DC0Fz7V3g () mail gmail com
  ('sound: GPF in snd_seq_fifo_clear')

  The fix is on Linus tree,
  commit 030e2c78d3a91dd0d27fef37e91950dde333eba1
    ALSA: seq: Fix missing NULL check at remove_events ioctl

- Race at ALSA sequencer timer setup and close:
  http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA () mail gmail com
  ('sound: use-after-free in snd_timer_stop')

  The fix is on Linus tree,
  commit 3567eb6af614dac436c4b16a8d426f9faed639b3
    ALSA: seq: Fix race at timer setup and close

- Race among ALSA timer ioctls:
  this is triggered by a few different fuzzer cases, and involved with
  multiple fix commits.

  http://lkml.kernel.org/r/CACT4Y+ZrVvE3dgcYHRdHDG0X316VgC-=pr2U-233vVn_QbHZHw () mail gmail com
  ('sound: use-after-free in snd_timer_interrupt')

  http://lkml.kernel.org/r/CACT4Y+bC5FMVFuk1VcqVtMyqvDyeKN4NrdxV+5eX93_Zr8L63Q () mail gmail com
  ('sound: GPF in snd_timer_user_params')

  http://lkml.kernel.org/r/CACT4Y+akV9XyDC_kmBQZV-26Py13E6sYASXaP4GKLNbRh6nZnA () mail gmail com
  ('sound: use-after-free in snd_timer_user_ioctl')

  The fixes are the following commits on Linus tree,
  ee8413b01045c74340aa13ad5bdf905de32be736
    ALSA: timer: Fix double unlink of active_list

  af368027a49a751d6ff4ee9e3f9961f35bb4fede
    ALSA: timer: Fix race among timer ioctls

  b5a663aa426f4884c71cd8580adae73f33570f0d
    ALSA: timer: Harden slave timer list handling

- Deadlock at ALSA hrtimer concurrent accesses:
  http://lkml.kernel.org/r/CACT4Y+a3YzyNbgeeg2Dr2dDcUtP+=D6DxQ7Dkjn-+rEXEAP5vw () mail gmail com
  ('sound: spinlock lockup in sound/core/timer.c')

  Further tracked at the thread
  http://lkml.kernel.org/r/CACT4Y+YPVUCTenSZjLfMf08NHJm1u3--Qm6a32oTdCmxUGkC0Q () mail gmail com

  The fix is in sound git tree for-linus branch, will send a pull
  request in a couple of days:
  git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
  
  commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3
    ALSA: hrtimer: Fix stall by hrtimer_cancel()


----- End forwarded message -----

Johannes
-- 
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)


Johannes
-- 
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

Attachment: signature.asc
Description: Digital signature

Current thread:

Security bugs in Linux kernel sound subsystem Johannes Segitz (Jan 19)
- Re: Security bugs in Linux kernel sound subsystem Johannes Segitz (Feb 23)
- Re: Security bugs in Linux kernel sound subsystem cve-assign (Feb 23)