[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: two OSS fixes
From:       Eugene Teo <eugene () redhat ! com>
Date:       2011-03-25 6:07:29
Message-ID: 4D8C3121.7090907 () redhat ! com
[Download RAW message or body]

On 03/23/2011 11:56 PM, Dan Rosenberg wrote:
> For both issues, access to /dev/sequencer is required, which is
> typically reserved for group audio.  Additionally, these only affect
> systems that use OSS (not to be confused with the OSS emulation layer
> provided by ALSA).
>
> 1. Specially crafted requests may be written to /dev/sequencer
> resulting in an underflow when calculating a size for a
> copy_from_user() operation in the driver for MIDI interfaces.  On x86,
> this just returns an error, but it may cause memory corruption on
> other architectures.  Other malformed requests may result in the use
> of uninitialized variables.  [1]

CVE-2011-1476

> 2. Due to a failure to validate user-supplied indexes in the driver
> for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request
> may be sent to /dev/sequencer, resulting in reading and writing beyond
> the bounds of heap buffers, and potentially allowing privilege
> escalation.  [2]

CVE-2011-1477

> [1] http://marc.info/?l=linux-kernel&m=130089204124354&w=2
> [2] http://marc.info/?l=linux-kernel&m=130089499728386&w=2

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
[prev in list] [next in list] [prev in thread] [next in thread]