First published: Wed Sep 29 2010(Updated: )
Description of problem: The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk. This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. Upstream commit: <a href="http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779">http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779</a> Acknowledgements: Red Hat would like to thank Dan Rosenberg for reporting this issue.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/linux-2.6 | ||
Linux Linux kernel | =2.6.36-rc2 | |
Linux Linux kernel | =2.6.36-rc1 | |
Linux Linux kernel | =2.6.36-rc3 | |
Linux Linux kernel | =2.6.36-rc4 | |
Linux Linux kernel | <2.6.36 | |
Linux Linux kernel | =2.6.36 | |
Fedoraproject Fedora | =13 | |
SUSE Linux Enterprise Server | =10-sp3 | |
SUSE Linux Enterprise Server | =9 | |
openSUSE openSUSE | =11.2 | |
openSUSE openSUSE | =11.3 | |
SUSE Linux Enterprise Desktop | =10-sp3 | |
SUSE Linux Enterprise Software Development Kit | =10-sp3 | |
Suse Linux Enterprise Real Time Extension | =11-sp1 | |
Debian Debian Linux | =5.0 | |
Canonical Ubuntu Linux | =10.10 | |
Canonical Ubuntu Linux | =9.04 | |
Canonical Ubuntu Linux | =9.10 | |
Canonical Ubuntu Linux | =8.04 | |
Canonical Ubuntu Linux | =10.04 | |
Canonical Ubuntu Linux | =6.06 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.