Bug 630551 - (CVE-2010-3080) CVE-2010-3080 kernel: /dev/sequencer open failure is not handled correctly
CVE-2010-3080 kernel: /dev/sequencer open failure is not handled correctly
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,reported=20100906,pub...
: Security
Depends On: 630552 630553 630554 630555
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-06 04:05 EDT by Eugene Teo (Security Response)
Modified: 2013-04-05 14:08 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-05 14:08:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-09-06 04:05:51 EDT
Description of problem:
There is a bug in snd_seq_oss_open from sound/core/seq/oss/seq_oss_init.c. So here's the error path for some setup failure:

 _error:
    snd_seq_oss_writeq_delete(dp->writeq);
    snd_seq_oss_readq_delete(dp->readq);
    snd_seq_oss_synth_cleanup(dp);
    snd_seq_oss_midi_cleanup(dp);
    delete_port(dp);
    delete_seq_queue(dp->queue);
    kfree(dp);

This looks okay, but actually, delete_port calls port_delete (eventually...
this code is tough to follow) which does a free_devinfo on the owner struct
seq_oss_devinfo, here (around ~269 in seq_ports.c):

    if (port->private_free)
        port->private_free(port->private_data);

because of this (around ~334 in seq_oss_init.c):

    memset(&callback, 0, sizeof(callback));
    callback.owner = THIS_MODULE;
    callback.private_data = dp;
    callback.event_input = snd_seq_oss_event_input;
    callback.private_free = free_devinfo;
    port.kernel = &callback;

Which does this:

static void
free_devinfo(void *private)
{
    struct seq_oss_devinfo *dp = (struct seq_oss_devinfo *)private;

    if (dp->timer)
        snd_seq_oss_timer_delete(dp->timer);
        
    if (dp->writeq)
        snd_seq_oss_writeq_delete(dp->writeq);

    if (dp->readq)
        snd_seq_oss_readq_delete(dp->readq);
    
    kfree(dp);
}

So.....

    delete_port(dp);
    delete_seq_queue(dp->queue); <= Oops, dereferencing released pointer.
    kfree(dp);                   <= Oops, double free.

Acknowledgements:

Red Hat would like to thank Tavis Ormandy for reporting this issue.
Comment 2 Eugene Teo (Security Response) 2010-09-06 04:11:51 EDT
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem. It did not affect Red Hat Enterprise MRG as the /dev/sequencer device file is restricted to root access only.
Comment 6 Chuck Ebbert 2010-09-20 23:29:38 EDT
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5
Comment 7 errata-xmlrpc 2011-01-11 14:45:28 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html

Note You need to log in before you can comment on or make changes to this bug.