Bug 2125879 (CVE-2022-3170) - CVE-2022-3170 kernel: ALSA: control: out-of-bounds access in get_ctl_id_hash()
Summary: CVE-2022-3170 kernel: ALSA: control: out-of-bounds access in get_ctl_id_hash()
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-3170
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2121805
TreeView+ depends on / blocked
 
Reported: 2022-09-11 13:31 UTC by Mauro Matteo Cascella
Modified: 2022-09-11 13:43 UTC (History)
40 users (show)

Fixed In Version: kernel 6.0-rc4
Doc Type: ---
Doc Text:
An out-of-bounds access issue was found in the Linux kernel sound subsystem. It could occur when the 'id->name' provided by the user did not end with '\0'. A privileged local user could pass a specially crafted name through ioctl() interface and crash the system or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2022-09-11 13:43:27 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2022-09-11 13:31:33 UTC 
Since the user can control the arguments provided to the kernel by the ioctl() system call, an out-of-bounds bug occurs when the 'id->name' provided by the user does not end with '\0'.

Upstream commits:
https://github.com/torvalds/linux/commit/6ab55ec0a938c7f943a4edba3d6514f775983887
https://github.com/torvalds/linux/commit/5934d9a0383619c14df91af8fd76261dc3de2f5f
Comment 1 Mauro Matteo Cascella 2022-09-11 13:43:27 UTC 
Red Hat Enterprise Linux 6, 7, 8 and 9 are not affected by this flaw as they did not include support for faster lookup of control elements (upstream commit that introduced the bug): https://github.com/torvalds/linux/commit/c27e1ef.
Note You need to log in before you can comment on or make changes to this bug.