It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation. Upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39675f7a7c7e7702f7d5341f1e0d01db746543a0
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1620291]
This was fixed for Fedora users with the 4.17.10 stable kernel update
Statement: This flaw affects all current shipping releases of Red Hat Enterprise Linux. This flaw requires real or emulated midi hardware available in the system. Fixes will be delivered when available.
Acknowledgments: Name: Trend Micro Zero Day Initiative
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:0415 https://access.redhat.com/errata/RHSA-2019:0415
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:0641 https://access.redhat.com/errata/RHSA-2019:0641
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2019:3967