2338210 – (CVE-2024-57893) CVE-2024-57893 kernel: ALSA: seq: oss: Fix races at processing SysEx messages

Bug 2338210 (CVE-2024-57893) - CVE-2024-57893 kernel: ALSA: seq: oss: Fix races at processing SysEx messages

Summary: CVE-2024-57893 kernel: ALSA: seq: oss: Fix races at processing SysEx messages

Keywords:
Status:	NEW
Alias:	CVE-2024-57893
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-01-15 14:03 UTC by OSIDB Bzimport
Modified:	2025-01-15 15:16 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-01-15 14:03:30 UTC

In the Linux kernel, the following vulnerability has been resolved:

ALSA: seq: oss: Fix races at processing SysEx messages

OSS sequencer handles the SysEx messages split in 6 bytes packets, and
ALSA sequencer OSS layer tries to combine those.  It stores the data
in the internal buffer and this access is racy as of now, which may
lead to the out-of-bounds access.

As a temporary band-aid fix, introduce a mutex for serializing the
process of the SysEx message packets.

Comment 1 Robb Gatica 2025-01-15 15:14:21 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025011513-CVE-2024-57893-b263@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.