Bug 1550142 (CVE-2018-7566) - CVE-2018-7566 kernel: race condition in snd_seq_write() may lead to UAF or OOB-access
Summary: CVE-2018-7566 kernel: race condition in snd_seq_write() may lead to UAF or OO...
Status: NEW
Alias: CVE-2018-7566
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180214,repor...
Keywords: Security
Depends On: 1550174 1695790 1550143 1550169 1550170 1550171 1550172 1550173 1550175 1550176 1695791
Blocks: 1539809
TreeView+ depends on / blocked
 
Reported: 2018-02-28 15:53 UTC by Vladis Dronov
Modified: 2019-04-03 18:26 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2384 None None None 2018-08-14 18:44 UTC
Red Hat Product Errata RHSA-2018:2390 None None None 2018-08-14 18:25 UTC
Red Hat Product Errata RHSA-2018:2395 None None None 2018-08-14 20:23 UTC
Red Hat Product Errata RHSA-2018:2948 None None None 2018-10-30 08:58 UTC

Description Vladis Dronov 2018-02-28 15:53:24 UTC
ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access.

References:

http://mailman.alsa-project.org/pipermail/alsa-devel/2018-February/132026.html

https://marc.info/?l=alsa-devel&m=151859118611846&w=2

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d15d662e89fc667b90cd294b0eb45694e33144da

Comment 1 Vladis Dronov 2018-02-28 15:56:03 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1550143]

Comment 3 Justin M. Forbes 2018-02-28 16:27:17 UTC
This was fixed for Fedora with the 4.15.5 stable updates.

Comment 5 Vladis Dronov 2018-02-28 17:24:12 UTC
Statement:

This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5.

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, its real-time kernel, Red Hat Enterprise MRG 2, Red Hat Enterprise Linux 7 for ARM 64 and Red Hat Enterprise Linux 7 for Power 9 LE. Future Linux kernel updates for the respective releases may address this issue.

Comment 7 errata-xmlrpc 2018-08-14 18:25:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390

Comment 8 errata-xmlrpc 2018-08-14 18:44:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2384 https://access.redhat.com/errata/RHSA-2018:2384

Comment 9 errata-xmlrpc 2018-08-14 20:23:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2395 https://access.redhat.com/errata/RHSA-2018:2395

Comment 10 errata-xmlrpc 2018-10-30 08:58:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948


Note You need to log in before you can comment on or make changes to this bug.