[CVE-2010-4527 Karmic] sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527

Tim Gardner tim.gardner at canonical.com
Fri Mar 18 01:32:32 UTC 2011 

On 03/17/2011 03:58 PM, Leann Ogasawara wrote:
> The following changes since commit a03e8e64c82377c67d844a823e6a1ac673debc73:
>    Tavis Ormandy (1):
>          Revised [CVE-2010-4345 Karmic] install_special_mapping skips security_file_mmap check. CVE-2010-4346
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/ogasawara/ubuntu-karmic.git CVE-2010-4527
>
> Dan Rosenberg (1):
>        sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527
>
>   sound/oss/soundcard.c |    4 ++--
>   1 files changed, 2 insertions(+), 2 deletions(-)
>
>  From 20c0067ab984fe024e594a2aa8429fa9a23c1001 Mon Sep 17 00:00:00 2001
> From: Dan Rosenberg<drosenberg at vsecurity.com>
> Date: Sat, 25 Dec 2010 16:23:40 -0500
> Subject: [PATCH] sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527
>
> CVE-2010-4527
>
> BugLink: http://bugs.launchpad.net/bugs/737073
>
> The load_mixer_volumes() function, which can be triggered by
> unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
> a buffer overflow.  Because the provided "name" argument isn't
> guaranteed to be NULL terminated at the expected 32 bytes, it's possible
> to overflow past the end of the last element in the mixer_vols array.
> Further exploitation can result in an arbitrary kernel write (via
> subsequent calls to load_mixer_volumes()) leading to privilege
> escalation, or arbitrary kernel reads via get_mixer_levels().  In
> addition, the strcmp() may leak bytes beyond the mixer_vols array.
>
> Signed-off-by: Dan Rosenberg<drosenberg at vsecurity.com>
> Cc: stable<stable at kernel.org>
> Signed-off-by: Takashi Iwai<tiwai at suse.de>
> (cherry picked from commit d81a12bc29ae4038770e05dce4ab7f26fd5880fb)
>
> Signed-off-by: Leann Ogasawara<leann.ogasawara at canonical.com>
> ---
>   sound/oss/soundcard.c |    4 ++--
>   1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
> index 61aaeda..31ee786 100644
> --- a/sound/oss/soundcard.c
> +++ b/sound/oss/soundcard.c
> @@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
>   	int             i, n;
>
>   	for (i = 0; i<  num_mixer_volumes; i++) {
> -		if (strcmp(name, mixer_vols[i].name) == 0) {
> +		if (strncmp(name, mixer_vols[i].name, 32) == 0) {
>   			if (present)
>   				mixer_vols[i].num = i;
>   			return mixer_vols[i].levels;
> @@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
>   	}
>   	n = num_mixer_volumes++;
>
> -	strcpy(mixer_vols[n].name, name);
> +	strncpy(mixer_vols[n].name, name, 32);
>
>   	if (present)
>   		mixer_vols[n].num = n;

Acked-by: Tim Gardner <tim.gardner at canonical.com>

-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list