[kernel] r16832 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jan 17 20:11:52 UTC 2011
Author: dannf
Date: Mon Jan 17 20:11:37 2011
New Revision: 16832
Log:
sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Jan 17 20:07:18 2011 (r16831)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Jan 17 20:11:37 2011 (r16832)
@@ -20,6 +20,7 @@
* econet: Fix crash in aun_incoming() (CVE-2010-4343)
* install_special_mapping skips security_file_mmap check (CVE-2010-4346)
* sctp: a race between ICMP protocol unreachable and connect() (CVE-2010-4526)
+ * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
[ Moritz Muehlenhoff ]
* blkback/blktap/netback: Fix CVE-2010-3699
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch Mon Jan 17 20:11:37 2011 (r16832)
@@ -0,0 +1,42 @@
+commit ac371cc6a575e3f38e5f7d80f8ad3fbf1096041e
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Sat Dec 25 16:23:40 2010 -0500
+
+ sound: Prevent buffer overflow in OSS load_mixer_volumes
+
+ The load_mixer_volumes() function, which can be triggered by
+ unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
+ a buffer overflow. Because the provided "name" argument isn't
+ guaranteed to be NULL terminated at the expected 32 bytes, it's possible
+ to overflow past the end of the last element in the mixer_vols array.
+ Further exploitation can result in an arbitrary kernel write (via
+ subsequent calls to load_mixer_volumes()) leading to privilege
+ escalation, or arbitrary kernel reads via get_mixer_levels(). In
+ addition, the strcmp() may leak bytes beyond the mixer_vols array.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
+index a9c23b2..eac3c00 100644
+--- a/sound/oss/soundcard.c
++++ b/sound/oss/soundcard.c
+@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ int i, n;
+
+ for (i = 0; i < num_mixer_volumes; i++) {
+- if (strcmp(name, mixer_vols[i].name) == 0) {
++ if (strncmp(name, mixer_vols[i].name, 32) == 0) {
+ if (present)
+ mixer_vols[i].num = i;
+ return mixer_vols[i].levels;
+@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ }
+ n = num_mixer_volumes++;
+
+- strcpy(mixer_vols[n].name, name);
++ strncpy(mixer_vols[n].name, name, 32);
+
+ if (present)
+ mixer_vols[n].num = n;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Mon Jan 17 20:07:18 2011 (r16831)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Mon Jan 17 20:11:37 2011 (r16832)
@@ -17,3 +17,4 @@
+ bugfix/all/econet-fix-crash-in-aun_incoming.patch
+ bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
+ bugfix/all/sctp-fix-race-between-ICMP-protocol-unreachable-and-connect.patch
++ bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
More information about the Kernel-svn-changes
mailing list