[kernel-sec-discuss] r1980 - active

Moritz Muehlenhoff jmm at alioth.debian.org
Thu Sep 30 09:00:56 UTC 2010


Author: jmm
Date: 2010-09-30 09:00:35 +0000 (Thu, 30 Sep 2010)
New Revision: 1980

Added:
   active/CVE-2010-3442
Log:
new issue


Added: active/CVE-2010-3442
===================================================================
--- active/CVE-2010-3442	                        (rev 0)
+++ active/CVE-2010-3442	2010-09-30 09:00:35 UTC (rev 1980)
@@ -0,0 +1,23 @@
+Candidate: CVE-2010-3442
+Description:
+ > On 09/29/2010 03:01 PM, Marcus Meissner wrote:
+ > > On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote:
+ > >> Reported by Dan Rosenberg. The snd_ctl_new() function in
+ > >> sound/core/control.c allocates space for a snd_kcontrol struct by
+ > >> performing arithmetic operations on a user-provided size without
+ > >> checking for integer overflow.  If a user provides a large enough size
+ > >> an overflow will occur, the allocated chunk will be too small, and a
+ > >> second user-influenced value will be written repeatedly past the bounds
+ > >> of this chunk. This code is reachable by unprivileged users who have
+ > >> permission to open a /dev/snd/controlC* device (on many distros, this is
+ >  >> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and
+ > >> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+References:
+ http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779
+Notes:
+Bugs:
+upstream: needed
+2.6.32-upstream-stable: needed
+linux-2.6: needed
+2.6.26-lenny-security:
+2.6.32-squeeze-security: needed




More information about the kernel-sec-discuss mailing list