oss-sec mailing list archives
Linux Kernel: ALSA: use-after-free Write in snd_rawmidi_kernel_write1
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Tue, 1 Dec 2020 13:51:58 +0800
Hi, I reported a use-after-free bug in snd_rawmidi_kernel_write1 in sound/core/rawmidi.c months ago. And I reproduced it in the latest version linux-5.7.0 at that time. Description: It was found that the raw midi kernel driver does not protect against concurrent access which leads to a use-after-free in snd_rawmidi_kernel_read1() and snd_rawmidi_kernel_write1() in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation. Root Cause: The rawmidi core allows user to resize the runtime buffer via ioctl, and this may lead to UAF when performed during concurrent reads or writes: the read/write functions unlock the runtime lock temporarily during copying form/to user-space, and that's the race window. Patch for this issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d CVE assigned: not assigned. Timeline: *2020/5/7 - Vulnerability reported to security () kernel org. *2020/5/7 - Vulnerability confirmed and patched. *2020/5/18 - Request a CVE ID via https://cveform.mitre.org/ *2020/11/18 - CVE Request responded but not assigned. *2020/11/18 - Reported to Red Hat. *2020/12/1 - Opened on oss -security () lists openwall com Credit: This issue was discovered by the ADLab of venustech. Regards. butt3rflyh4ck.
Current thread:
- Linux Kernel: ALSA: use-after-free Write in snd_rawmidi_kernel_write1 butt3rflyh4ck (Nov 30)
- Re: Linux Kernel: ALSA: use-after-free Write in snd_rawmidi_kernel_write1 butt3rflyh4ck (Dec 03)