Bug 638478 (CVE-2010-3442) - CVE-2010-3442 kernel: prevent heap corruption in snd_ctl_new()
Summary: CVE-2010-3442 kernel: prevent heap corruption in snd_ctl_new()
Status: CLOSED ERRATA
Alias: CVE-2010-3442
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100928,reported=20100929,sou...
Keywords: Security
Depends On: 638479 638480 638481 638482 638483 638484 638485 638486
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-29 06:44 UTC by Eugene Teo (Security Response)
Modified: 2018-11-14 16:35 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 08:54:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0842 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-22 19:34:20 UTC
Red Hat Product Errata RHSA-2010:0936 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-12-06 14:19:04 UTC
Red Hat Product Errata RHSA-2010:0958 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2010-12-08 19:08:55 UTC
Red Hat Product Errata RHSA-2011:0004 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2011-01-04 16:52:05 UTC

Description Eugene Teo (Security Response) 2010-09-29 06:44:04 UTC
Description of problem:
The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow.  If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk.  This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779

Acknowledgements:

Red Hat would like to thank Dan Rosenberg for reporting this issue.

Comment 3 Jerome Marchand 2010-10-15 09:05:57 UTC
One little precision : the problem only affects 32 bits archs. 64 bits arch are not affected because control->count is an int (32 bits) and the argument of kzalloc() is a size_t (64 bits), thus the overflow can not occur.

Comment 4 errata-xmlrpc 2010-11-10 19:08:56 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 5 errata-xmlrpc 2010-11-22 19:35:09 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 6 errata-xmlrpc 2010-12-01 22:24:35 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0936 https://rhn.redhat.com/errata/RHSA-2010-0936.html

Comment 7 errata-xmlrpc 2010-12-08 19:09:13 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0958 https://rhn.redhat.com/errata/RHSA-2010-0958.html

Comment 8 errata-xmlrpc 2011-01-04 16:52:28 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0004 https://rhn.redhat.com/errata/RHSA-2011-0004.html


Note You need to log in before you can comment on or make changes to this bug.