Bug 1550142 (CVE-2018-7566)

Summary: CVE-2018-7566 kernel: race condition in snd_seq_write() may lead to UAF or OOB-access
Product: [Other] Security Response Reporter: Vladis Dronov <vdronov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, ajax, apmukher, bskeggs, carnil, ewk, hdegoede, ichavero, itamar, jarodwilson, jforbes, jglisse, john.j5live, jonathan, josef, jwboyer, kernel-maint, labbott, linville, mchehab, mjg59, mmilgram, steved, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:41:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1550143, 1550169, 1550170, 1550171, 1550172, 1550173, 1550174, 1550175, 1550176, 1695790, 1695791    
Bug Blocks: 1539809    

Description Vladis Dronov 2018-02-28 15:53:24 UTC
ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access.

References:

http://mailman.alsa-project.org/pipermail/alsa-devel/2018-February/132026.html

https://marc.info/?l=alsa-devel&m=151859118611846&w=2

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d15d662e89fc667b90cd294b0eb45694e33144da

Comment 1 Vladis Dronov 2018-02-28 15:56:03 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1550143]

Comment 3 Justin M. Forbes 2018-02-28 16:27:17 UTC
This was fixed for Fedora with the 4.15.5 stable updates.

Comment 5 Vladis Dronov 2018-02-28 17:24:12 UTC
Statement:

This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5.

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, its real-time kernel, Red Hat Enterprise MRG 2, Red Hat Enterprise Linux 7 for ARM 64 and Red Hat Enterprise Linux 7 for Power 9 LE. Future Linux kernel updates for the respective releases may address this issue.

Comment 7 errata-xmlrpc 2018-08-14 18:25:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390

Comment 8 errata-xmlrpc 2018-08-14 18:44:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2384 https://access.redhat.com/errata/RHSA-2018:2384

Comment 9 errata-xmlrpc 2018-08-14 20:23:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2395 https://access.redhat.com/errata/RHSA-2018:2395

Comment 10 errata-xmlrpc 2018-10-30 08:58:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948

Comment 12 errata-xmlrpc 2019-06-17 19:09:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1483 https://access.redhat.com/errata/RHSA-2019:1483

Comment 13 errata-xmlrpc 2019-06-17 19:56:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:1487 https://access.redhat.com/errata/RHSA-2019:1487