567168 – (CVE-2010-1085) CVE-2010-1085 kernel: ALSA: hda-intel: Avoid divide by zero crash

Bug 567168 (CVE-2010-1085) - CVE-2010-1085 kernel: ALSA: hda-intel: Avoid divide by zero crash

Summary: CVE-2010-1085 kernel: ALSA: hda-intel: Avoid divide by zero crash

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-1085
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	567169 567170 567171 567172 567173
Blocks:
TreeView+	depends on / blocked

Reported:	2010-02-22 03:48 UTC by Eugene Teo (Security Response)
Modified:	2021-11-12 20:05 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-28 08:54:20 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0394	0	normal	SHIPPED_LIVE	Important: kernel security, bug fix, and enhancement update	2010-05-05 13:05:05 UTC
Red Hat Product Errata	RHSA-2010:0398	0	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2010-05-06 18:49:33 UTC

Description Eugene Teo (Security Response) 2010-02-22 03:48:24 UTC

Description of problem:
[1.] One line summary of the problem:
hda-intel crashes the kernel due to a divide by zero in azx_position_ok

[2.] Full description of the problem/report:
Using mp3blaster-3.2.5 (latest version) to play MP3 audio, the reporter was able to crash the kernel by stopping and restarting playback using the "5" key repeatedly.  This happens as a normal user, not only as root.  Kernel backtrace points to azx_position_ok() dividing by zero, so he wrote a tiny patch to investigate which reported via printk() values of pos and azx_dev->period_bytes; on crash, both were 0.  The offending operation does: if (pos % azx_dev->period_bytes > azx_dev->period_bytes / 2) which obviously is the source of the crash. This happens on linux 2.6.32.7 as well as linux 2.6.33-rc6.

Upstream commit:
http://git.kernel.org/linus/fed08d036f2aabd8d0c684439de37f8ebec2bbc2

References:
http://lkml.org/lkml/2010/2/6/40
http://nctritech.net/bugreport.txt
http://lwn.net/Articles/375417/

Requested a CVE name for this.

Comment 2 errata-xmlrpc 2010-05-05 13:05:20 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0394 https://rhn.redhat.com/errata/RHSA-2010-0394.html

Comment 3 errata-xmlrpc 2010-05-06 18:49:44 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0398 https://rhn.redhat.com/errata/RHSA-2010-0398.html

Note You need to log in before you can comment on or make changes to this bug.