[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: buffer overflow in OSS load_mixer_volumes
From:       Huzaifa Sidhpurwala <huzaifas () redhat ! com>
Date:       2010-12-31 7:35:11
Message-ID: 4D1D84DF.3090302 () redhat ! com
[Download RAW message or body]

On 12/31/2010 05:32 AM, Dan Rosenberg wrote:
> "The load_mixer_volumes() function, which can be triggered by
> unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
> a buffer overflow.  Because the provided 'name' argument isn't
> guaranteed to be NULL terminated at the expected 32 bytes, it's possible
> to overflow past the end of the last element in the mixer_vols array.
> Further exploitation can result in an arbitrary kernel write (via
> subsequent calls to load_mixer_volumes()) leading to privilege
> escalation, or arbitrary kernel reads via get_mixer_levels().  In
> addition, the strcmp() may leak bytes beyond the mixer_vols array."
> 

Please use CVE-2010-4527 for this one.


-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]