Bug 630551 (CVE-2010-3080)

Summary: CVE-2010-3080 kernel: /dev/sequencer open failure is not handled correctly
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, bhu, davej, fhrbata, jkacur, kmcmartin, lgoncalv, lwang, miturria, security-response-team, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-05 18:08:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 630552, 630553, 630554, 630555    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-09-06 08:05:51 UTC 
Description of problem:
There is a bug in snd_seq_oss_open from sound/core/seq/oss/seq_oss_init.c. So here's the error path for some setup failure:

 _error:
    snd_seq_oss_writeq_delete(dp->writeq);
    snd_seq_oss_readq_delete(dp->readq);
    snd_seq_oss_synth_cleanup(dp);
    snd_seq_oss_midi_cleanup(dp);
    delete_port(dp);
    delete_seq_queue(dp->queue);
    kfree(dp);

This looks okay, but actually, delete_port calls port_delete (eventually...
this code is tough to follow) which does a free_devinfo on the owner struct
seq_oss_devinfo, here (around ~269 in seq_ports.c):

    if (port->private_free)
        port->private_free(port->private_data);

because of this (around ~334 in seq_oss_init.c):

    memset(&callback, 0, sizeof(callback));
    callback.owner = THIS_MODULE;
    callback.private_data = dp;
    callback.event_input = snd_seq_oss_event_input;
    callback.private_free = free_devinfo;
    port.kernel = &callback;

Which does this:

static void
free_devinfo(void *private)
{
    struct seq_oss_devinfo *dp = (struct seq_oss_devinfo *)private;

    if (dp->timer)
        snd_seq_oss_timer_delete(dp->timer);
        
    if (dp->writeq)
        snd_seq_oss_writeq_delete(dp->writeq);

    if (dp->readq)
        snd_seq_oss_readq_delete(dp->readq);
    
    kfree(dp);
}

So.....

    delete_port(dp);
    delete_seq_queue(dp->queue); <= Oops, dereferencing released pointer.
    kfree(dp);                   <= Oops, double free.

Acknowledgements:

Red Hat would like to thank Tavis Ormandy for reporting this issue.
Comment 2 Eugene Teo (Security Response) 2010-09-06 08:11:51 UTC 
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem. It did not affect Red Hat Enterprise MRG as the /dev/sequencer device file is restricted to root access only.
Comment 3 Eugene Teo (Security Response) 2010-09-08 08:37:04 UTC 
Patch: http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=c598337660c21c0afaa9df5a65bb4a7a0cf15be8
Comment 5 Chuck Ebbert 2010-09-10 16:59:31 UTC 
Now merged upstream:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
Comment 6 Chuck Ebbert 2010-09-21 03:29:38 UTC 
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5
Comment 7 errata-xmlrpc 2011-01-11 19:45:28 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html