Bug 567168 (CVE-2010-1085)

Summary: CVE-2010-1085 kernel: ALSA: hda-intel: Avoid divide by zero crash
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, davej, dhoward, jolsa, jpirko, kmcmartin, lgoncalv, lwang, plyons, pmatouse, tcallawa, vgoyal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:54:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 567169, 567170, 567171, 567172, 567173    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-02-22 03:48:24 UTC
Description of problem:
[1.] One line summary of the problem:
hda-intel crashes the kernel due to a divide by zero in azx_position_ok

[2.] Full description of the problem/report:
Using mp3blaster-3.2.5 (latest version) to play MP3 audio, the reporter was able to crash the kernel by stopping and restarting playback using the "5" key repeatedly.  This happens as a normal user, not only as root.  Kernel backtrace points to azx_position_ok() dividing by zero, so he wrote a tiny patch to investigate which reported via printk() values of pos and azx_dev->period_bytes; on crash, both were 0.  The offending operation does: if (pos % azx_dev->period_bytes > azx_dev->period_bytes / 2) which obviously is the source of the crash. This happens on linux 2.6.32.7 as well as linux 2.6.33-rc6.

Upstream commit:
http://git.kernel.org/linus/fed08d036f2aabd8d0c684439de37f8ebec2bbc2

References:
http://lkml.org/lkml/2010/2/6/40
http://nctritech.net/bugreport.txt
http://lwn.net/Articles/375417/

Requested a CVE name for this.

Comment 2 errata-xmlrpc 2010-05-05 13:05:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0394 https://rhn.redhat.com/errata/RHSA-2010-0394.html

Comment 3 errata-xmlrpc 2010-05-06 18:49:44 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0398 https://rhn.redhat.com/errata/RHSA-2010-0398.html