Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201406260552.s5Q5qQ9T014584@linus.mitre.org>
Date: Thu, 26 Jun 2014 01:52:26 -0400 (EDT)
From: cve-assign@...re.org
To: meissner@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux kernel ALSA core control API vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=07f4d9d74a04aa7c72c5dae0ef97565f28f17b92
> ALSA: control: Protect user controls against concurrent access

> The user-control put and get handlers as well as the tlv do not
> protect against concurrent access from multiple threads. Since the
> state of the control is not updated atomically it is possible that
> either two write operations or a write and a read operation race
> against each other. Both can lead to arbitrary memory disclosure.

> (aka "The first issue is a race conditions in the user-control put/get
> and tlv handlers" ... "first affected release is v2.6.18")

Use CVE-2014-4652.



> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=fd9f26e4eca5d08a27d12c0933fceef76ed9663d
> ALSA: control: Don't access controls outside of protected regions

> A control that is visible on the card->controls list can be freed at
> any time. This means we must not access any of its memory while not
> holding the controls_rw_lock. Otherwise we risk a use after free
> access.

> (aka "There are a couple of places where a kcontrol is de-referenced
> after controls_rwsem has been released" ... "first affected release
> predates the git history")

Use CVE-2014-4653.



> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=82262a46627bebb0febcc26664746c25cef08563
> ALSA: control: Fix replacing user controls

> The first is that the code does not check if the control is actually a
> user control and neither does it check if the control is owned by the
> process that tries to remove it. That allows userspace applications to
> remove arbitrary controls, which can cause a user after free

> (aka "The next issue is that SNDRV_CTL_IOCTL_ELEM_REPLACE does no
> permission checking on the control that is to be replaced. This allows
> a application to remove controls that were created by the kernel
> driver and also controls that are locked by other applications." ...
> "first affected release predates the git history")

Use CVE-2014-4654.


> The second issue is that on one hand when a control is replaced the
> user_ctl_count limit is not checked and on the other hand the
> user_ctl_count is increased (even though the number of user controls
> does not change). This allows userspace, once the user_ctl_count limit
> as been reached, to repeatedly replace a control until user_ctl_count
> overflows.

> (aka "SNDRV_CTL_IOCTL_ELEM_REPLACE also gets the user_ctl_count
> handling wrong" ... "first affected release predates the git history")

Use CVE-2014-4655.

[ in other words, two different CVE IDs for the
  82262a46627bebb0febcc26664746c25cef08563 commit ]



> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=883a1d49f0d77d30012f114b2e19fc141beb3e8e
> ALSA: control: Make sure that id->index does not overflow

> if (id.index > UINT_MAX - kcontrol->count)
>     goto error;


> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=ac902c112d90a89e59916f751c2745f4dbdbb4bd
> ALSA: control: Handle numid overflow

> if (card->last_numid >= UINT_MAX - count)
>    card->last_numid = 0;

> (aka "The last two issues are overflows of id.index and id.numid" ...
> "first affected release predates the git history")

Use CVE-2014-4656.

[ in other words, a single CVE ID for both the
  883a1d49f0d77d30012f114b2e19fc141beb3e8e and
  ac902c112d90a89e59916f751c2745f4dbdbb4bd commits ]

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTq7SSAAoJEKllVAevmvmsWqcH+wZvqFs9w+jOaeImZ29/XWbX
lEnH70xDxS81Bp0MAst5Ve4w1sH5neTC1K97x8cpmXvgBmYdiTtAnB+EzidrStin
1WKBSfAc4jx/Xt7FWwXgWSzCVGxotVGpk74MP4l/bpoOqFhXO5wQSGjGOEvX0qaF
oVlep0ftGTVowoamTznrDnIEhVtdCBgymrHSSoz3LfSIHVBVqIt7WdFOcfXW4/aa
lcPAG42sfoaQRPwE9VOIl7yVouMjHOBq4LFyamSXN2D8it3OrszQi1aayTWw/Fwo
cASkfa+OtNPPJobRgzQFRellzsbfvmVlWOy7n54rQNUcG/N7P7a8kNHL5qU2Br4=
=kz9h
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.