ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access. References: http://mailman.alsa-project.org/pipermail/alsa-devel/2018-February/132026.html https://marc.info/?l=alsa-devel&m=151859118611846&w=2 An upstream fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d15d662e89fc667b90cd294b0eb45694e33144da
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1550143]
This was fixed for Fedora with the 4.15.5 stable updates.
Statement: This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6, 7, its real-time kernel, Red Hat Enterprise MRG 2, Red Hat Enterprise Linux 7 for ARM 64 and Red Hat Enterprise Linux 7 for Power 9 LE. Future Linux kernel updates for the respective releases may address this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2384 https://access.redhat.com/errata/RHSA-2018:2384
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2395 https://access.redhat.com/errata/RHSA-2018:2395
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1483 https://access.redhat.com/errata/RHSA-2019:1483
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:1487 https://access.redhat.com/errata/RHSA-2019:1487