Bug 630551 (CVE-2010-3080) - CVE-2010-3080 kernel: /dev/sequencer open failure is not handled correctly
Summary: CVE-2010-3080 kernel: /dev/sequencer open failure is not handled correctly
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3080
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Engineering630552 Engineering630553 Engineering630554 Engineering630555
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-06 08:05 UTC by Eugene Teo (Security Response)
Modified: 2023-05-11 16:17 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-05 18:08:52 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0007 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-01-11 19:44:55 UTC

Description Eugene Teo (Security Response) 2010-09-06 08:05:51 UTC 
Description of problem:
There is a bug in snd_seq_oss_open from sound/core/seq/oss/seq_oss_init.c. So here's the error path for some setup failure:

 _error:
    snd_seq_oss_writeq_delete(dp->writeq);
    snd_seq_oss_readq_delete(dp->readq);
    snd_seq_oss_synth_cleanup(dp);
    snd_seq_oss_midi_cleanup(dp);
    delete_port(dp);
    delete_seq_queue(dp->queue);
    kfree(dp);

This looks okay, but actually, delete_port calls port_delete (eventually...
this code is tough to follow) which does a free_devinfo on the owner struct
seq_oss_devinfo, here (around ~269 in seq_ports.c):

    if (port->private_free)
        port->private_free(port->private_data);

because of this (around ~334 in seq_oss_init.c):

    memset(&callback, 0, sizeof(callback));
    callback.owner = THIS_MODULE;
    callback.private_data = dp;
    callback.event_input = snd_seq_oss_event_input;
    callback.private_free = free_devinfo;
    port.kernel = &callback;

Which does this:

static void
free_devinfo(void *private)
{
    struct seq_oss_devinfo *dp = (struct seq_oss_devinfo *)private;

    if (dp->timer)
        snd_seq_oss_timer_delete(dp->timer);
        
    if (dp->writeq)
        snd_seq_oss_writeq_delete(dp->writeq);

    if (dp->readq)
        snd_seq_oss_readq_delete(dp->readq);
    
    kfree(dp);
}

So.....

    delete_port(dp);
    delete_seq_queue(dp->queue); <= Oops, dereferencing released pointer.
    kfree(dp);                   <= Oops, double free.

Acknowledgements:

Red Hat would like to thank Tavis Ormandy for reporting this issue.
Comment 2 Eugene Teo (Security Response) 2010-09-06 08:11:51 UTC 
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem. It did not affect Red Hat Enterprise MRG as the /dev/sequencer device file is restricted to root access only.
Comment 3 Eugene Teo (Security Response) 2010-09-08 08:37:04 UTC 
Patch: http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=c598337660c21c0afaa9df5a65bb4a7a0cf15be8
Comment 5 Chuck Ebbert 2010-09-10 16:59:31 UTC 
Now merged upstream:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=27f7ad53829f79e799a253285318bff79ece15bd
Comment 6 Chuck Ebbert 2010-09-21 03:29:38 UTC 
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5
Comment 7 errata-xmlrpc 2011-01-11 19:45:28 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0007 https://rhn.redhat.com/errata/RHSA-2011-0007.html
Note You need to log in before you can comment on or make changes to this bug.