Bug 1311566 - (CVE-2016-2547) CVE-2016-2547 kernel: sound: use-after-free in snd_timer_user_ioctl
CVE-2016-2547 kernel: sound: use-after-free in snd_timer_user_ioctl
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160119,repor...
: Security
: CVE-2016-2548 (view as bug list)
Depends On: 1288993 1311573
Blocks: 1311575
  Show dependency treegraph
 
Reported: 2016-02-24 08:26 EST by Andrej Nemec
Modified: 2017-01-25 05:27 EST (History)
33 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-08 06:10:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2016-02-24 08:26:59 EST
A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too.

Upstream patch:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b5a663aa426f4884c71cd8580adae73f33570f0d

External references:

http://marc.info/?l=linux-kernel&m=145269654327048
https://gist.githubusercontent.com/dvyukov/e833610757b098956b50/raw/d819cd13b466e4adbe3dd825ee481e4512e77633/gistfile1.txt

CVE-ID request and assignment:

http://seclists.org/oss-sec/2016/q1/133

http://seclists.org/oss-sec/2016/q1/410
Comment 1 Josh Boyer 2016-02-24 08:57:34 EST
This was fixed in 4.3.5 with:

commit ea7f3d59628930dc29482a292e2a55c81cac52a4
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Jan 14 16:30:58 2016 +0100

    ALSA: timer: Harden slave timer list handling
    
    commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.
    

and in 4.4.1 with:

commit 8eff3aa0a9bbb593dce0ec0344ec1961318e44c8
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Jan 14 16:30:58 2016 +0100

    ALSA: timer: Harden slave timer list handling
    
    commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.

All Fedora branches are on those or newer.  This issue is fixed in Fedora.
Comment 3 Vladis Dronov 2016-03-08 06:10:31 EST
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2, as the flaw was already fixed in the products listed.
Comment 4 Vladis Dronov 2016-03-11 12:55:26 EST
*** Bug 1311568 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.