oss-sec mailing list archives

Re: CVE Request: alsa: kernel information leak vulnerability in Linux sound/core/timer

From: Takashi Iwai <tiwai () suse de>
Date: Wed, 11 May 2016 08:52:16 +0200

On Tue, 10 May 2016 21:27:58 +0200,
Kangjie Lu wrote:


Hello,

In function snd_timer_user_ccallback() of file sound/core/timer.c,
the stack object “r1” has a total size of 32 bytes. Its field “event” and
“val” both
contain 4 bytes padding. These 8 bytes padding bytes are sent to user
without
being initialized.

Fix info:
https://git.kernel.org/cgit/linux/kernel/git/tiwai/sound.git/commit/?h=for-next&id=9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
Patch has been applied: http://comments.gmane.org/gmane.linux.kernel/2214250

Please help assign a CVE to this vulnerability.


Maybe we can fold all three similar bugs in sound/core/timer.c into
the existing CVE-2016-4569?

In my sound.git tree,

cec8f96e49d9be372fdb0c3836dcf31ec71e457e
  ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
  ALSA: timer: Fix leak in events via snd_timer_user_ccallback
e4ec8cc8039a7063e24204299b462bd1383184a5
  ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt

BTW, at the next time, *please* put the upstream maintainer into the
loop...


Takashi

Current thread:

CVE Request: alsa: kernel information leak vulnerability in Linux sound/core/timer Kangjie Lu (May 10)
- Re: CVE Request: alsa: kernel information leak vulnerability in Linux sound/core/timer Takashi Iwai (May 11)
  - Re: CVE Request: alsa: kernel information leak vulnerability in Linux sound/core/timer cve-assign (May 11)
    - Re: CVE Request: alsa: kernel information leak vulnerability in Linux sound/core/timer Takashi Iwai (May 11)
- <Possible follow-ups>
- Re: CVE Request: alsa: kernel information leak vulnerability in Linux sound/core/timer Kangjie Lu (May 11)