[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2018-10902 - linux kernel - double free in midi subsystem
From: Wade Mealing <wmealing () redhat ! com>
Date: 2018-08-21 3:29:34
Message-ID: CALJHwhSzACBrrvU83O+ZOhqSHCFOFekPMU=5dYPY=2vTeD4PGQ () mail ! gmail ! com
[Download RAW message or body]
Gday,
The linux midi subsystem has a possible memory corruption flaw
accessing midi devices.
This was fixes upstream in commit
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39675f7a7c7e7702f7d5341f1e0d01db746543a0
(4.18 and newer not affected). Red hat has assigned CVE-2018-10902 for
this issue.
The raw midi kernel driver does not protect against concurrent access
which leads to a double-realloc (double free) in
snd_rawmidi_input_params() and snd_rawmidi_output_status() which are
part of snd_rawmidi_ioctl() handler in rawmidi.c file. Here is an
excerpt of the concerned code:
```
if (params->buffer_size != runtime->buffer_size) {
newbuf = krealloc(runtime->buffer, params->buffer_size,
GFP_KERNEL);
if (!newbuf)
return -ENOMEM;
runtime->buffer = newbuf;
runtime->buffer_size = params->buffer_size;
runtime->avail = runtime->buffer_size;
}
```
If a midi device is plugged in or emulated (which is the case under a
default VMware instance), then this device driver is reachable via
/dev/snd/midiC0D* interfaces. This can lead to memory corruption and
all the fun that follows if abused correctly.
Thanks to ZDI has done the reporting to Red Hat,
https://bugzilla.redhat.com/show_bug.cgi?id=1590720
--
Wade Mealing
Product Security - Kernel, RHCE
Red Hat
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic