CVE-2018-10902 - linux kernel - double free in midi subsystem

[Wade Mealing <wmealing () redhat com>]

Gday,

The linux midi subsystem has a possible memory corruption flaw
accessing midi devices.

This was fixes upstream in commit
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39675f7a7c7e7702f7d5341f1e0d01db746543a0
(4.18 and newer not affected). Red hat has assigned CVE-2018-10902 for
this issue.

The raw midi kernel driver does not protect against concurrent access
which leads to a double-realloc (double free) in
snd_rawmidi_input_params() and snd_rawmidi_output_status() which are
part of snd_rawmidi_ioctl() handler in rawmidi.c file. Here is an
excerpt of the concerned code:

```
    if (params->buffer_size != runtime->buffer_size) {
        newbuf = krealloc(runtime->buffer, params->buffer_size,
                  GFP_KERNEL);
        if (!newbuf)
            return -ENOMEM;
        runtime->buffer = newbuf;
        runtime->buffer_size = params->buffer_size;
        runtime->avail = runtime->buffer_size;
    }
```

If a midi device is plugged in or emulated (which is the case under a
default VMware instance), then this device driver is reachable via
/dev/snd/midiC0D* interfaces.  This can lead to memory corruption and
all the fun that follows if abused correctly.

Thanks to ZDI has done the reporting to Red Hat,

https://bugzilla.redhat.com/show_bug.cgi?id=1590720

-- 
Wade Mealing

Product Security - Kernel, RHCE

Red Hat