oss-sec mailing list archives
Re: Security bugs in Linux kernel sound subsystem
From: Johannes Segitz <jsegitz () suse com>
Date: Tue, 23 Feb 2016 15:26:52 +0100
ping, please have a look On Tue, Jan 19, 2016 at 09:33:36AM +0100, Johannes Segitz wrote:
Hi, Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been triggered by syzkaller fuzzer. These can allow a user to DoS the system. Please assign CVEs to the issues listed below. Thanks. (the link http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA () mail gmail com is dead, http://www.spinics.net/lists/alsa-devel/msg45102.html should contain the information) ----- Forwarded message from Takashi Iwai ----- - NULL dereference via ALSA sequencer access: http://lkml.kernel.org/r/CACT4Y+auYVVmKL37ijBWamQQ7zGKVVFHemyAiELW5DC0Fz7V3g () mail gmail com ('sound: GPF in snd_seq_fifo_clear') The fix is on Linus tree, commit 030e2c78d3a91dd0d27fef37e91950dde333eba1 ALSA: seq: Fix missing NULL check at remove_events ioctl - Race at ALSA sequencer timer setup and close: http://lkml.kernel.org/r/CACT4Y+borJj9XYEtXzLUbH9gUipPi9TQaj_O8Sw3tNUvFODPZA () mail gmail com ('sound: use-after-free in snd_timer_stop') The fix is on Linus tree, commit 3567eb6af614dac436c4b16a8d426f9faed639b3 ALSA: seq: Fix race at timer setup and close - Race among ALSA timer ioctls: this is triggered by a few different fuzzer cases, and involved with multiple fix commits. http://lkml.kernel.org/r/CACT4Y+ZrVvE3dgcYHRdHDG0X316VgC-=pr2U-233vVn_QbHZHw () mail gmail com ('sound: use-after-free in snd_timer_interrupt') http://lkml.kernel.org/r/CACT4Y+bC5FMVFuk1VcqVtMyqvDyeKN4NrdxV+5eX93_Zr8L63Q () mail gmail com ('sound: GPF in snd_timer_user_params') http://lkml.kernel.org/r/CACT4Y+akV9XyDC_kmBQZV-26Py13E6sYASXaP4GKLNbRh6nZnA () mail gmail com ('sound: use-after-free in snd_timer_user_ioctl') The fixes are the following commits on Linus tree, ee8413b01045c74340aa13ad5bdf905de32be736 ALSA: timer: Fix double unlink of active_list af368027a49a751d6ff4ee9e3f9961f35bb4fede ALSA: timer: Fix race among timer ioctls b5a663aa426f4884c71cd8580adae73f33570f0d ALSA: timer: Harden slave timer list handling - Deadlock at ALSA hrtimer concurrent accesses: http://lkml.kernel.org/r/CACT4Y+a3YzyNbgeeg2Dr2dDcUtP+=D6DxQ7Dkjn-+rEXEAP5vw () mail gmail com ('sound: spinlock lockup in sound/core/timer.c') Further tracked at the thread http://lkml.kernel.org/r/CACT4Y+YPVUCTenSZjLfMf08NHJm1u3--Qm6a32oTdCmxUGkC0Q () mail gmail com The fix is in sound git tree for-linus branch, will send a pull request in a couple of days: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git commit 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3 ALSA: hrtimer: Fix stall by hrtimer_cancel() ----- End forwarded message ----- Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Security bugs in Linux kernel sound subsystem Johannes Segitz (Jan 19)
- Re: Security bugs in Linux kernel sound subsystem Johannes Segitz (Feb 23)
- Re: Security bugs in Linux kernel sound subsystem cve-assign (Feb 23)