oss-sec mailing list archives
CVE-2018-10902 - linux kernel - double free in midi subsystem
From: Wade Mealing <wmealing () redhat com>
Date: Tue, 21 Aug 2018 13:29:34 +1000
Gday, The linux midi subsystem has a possible memory corruption flaw accessing midi devices. This was fixes upstream in commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39675f7a7c7e7702f7d5341f1e0d01db746543a0 (4.18 and newer not affected). Red hat has assigned CVE-2018-10902 for this issue. The raw midi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. Here is an excerpt of the concerned code: ``` if (params->buffer_size != runtime->buffer_size) { newbuf = krealloc(runtime->buffer, params->buffer_size, GFP_KERNEL); if (!newbuf) return -ENOMEM; runtime->buffer = newbuf; runtime->buffer_size = params->buffer_size; runtime->avail = runtime->buffer_size; } ``` If a midi device is plugged in or emulated (which is the case under a default VMware instance), then this device driver is reachable via /dev/snd/midiC0D* interfaces. This can lead to memory corruption and all the fun that follows if abused correctly. Thanks to ZDI has done the reporting to Red Hat, https://bugzilla.redhat.com/show_bug.cgi?id=1590720 -- Wade Mealing Product Security - Kernel, RHCE Red Hat
Current thread:
- CVE-2018-10902 - linux kernel - double free in midi subsystem Wade Mealing (Aug 20)