-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Linux Kernel snd_seq_oss_synth_make_info() Information Disclosure Vulnerability Advisory ID: TKADV2008-005 Revision: 1.0 Release Date: 2008/08/06 Last Modified: 2008/08/06 Date Reported: 2008/08/02 Author: Tobias Klein (tk at trapkit.de) Affected Software: Linux Kernel >= 2.6 Linux Kernel < 2.6.27.rc2 Remotely Exploitable: No Locally Exploitable: Yes Vendor URL: http://www.kernel.org/ Vendor Status: Vendor has released a fixed version CVE-ID: CVE-2008-3272 Patch development time: 4 days ====================== Vulnerability details: ====================== The Linux Kernel contains an information disclosure vulnerability while parsing the IOCTLs SNDCTL_SYNTH_INFO and SNDCTL_SYNTH_ID. Exploitation of this vulnerability can allow a local unprivileged attacker to gain access to sensitive data. ====================== Technical description: ====================== - From source code file: sound/core/seq/oss/seq_oss_synth.c: /* * create OSS compatible synth_info record */ int snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf) { struct seq_oss_synth *rec; if (dp->synths[dev].is_midi) { <-- [1] struct midi_info minf; snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, <-- [2] &minf); inf->synth_type = SYNTH_TYPE_MIDI; inf->synth_subtype = 0; inf->nr_voices = 16; inf->device = dev; strlcpy(inf->name, minf.name, sizeof(inf->name)); <-- [3] } else { if ((rec = get_synthdev(dp, dev)) == NULL) return -ENXIO; inf->synth_type = rec->synth_type; inf->synth_subtype = rec->synth_subtype; inf->nr_voices = rec->nr_voices; inf->device = dev; strlcpy(inf->name, rec->name, sizeof(inf->name)); snd_use_lock_free(&rec->use_lock); } return 0; } [1] + [2] As "dev" is user controlled and not validated at all it is possible to specify an arbitrary array index. In consequence it is possible to copy arbitrary kernel memory to "minf" that later on is copied into "inf" (see [3]) and then back to the user. ========= Solution: ========= The Linux Kernel maintainers have addressed this vulnerability within version 2.6.27.rc2. More information can be found from the URLs shown below. http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.27-rc2 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h =82e68f7ffec3800425f2391c8c86277606860442 ======== History: ======== 2008/08/02 - Initial notification of kernel maintainers 2008/08/02 - Initial response from kernel maintainers 2008/08/05 - Fix provided 2008/08/06 - Public disclosure ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux- 2.6.git;a=commit;h=82e68f7ffec3800425f2391c8c86277606860442 [2] http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.27-rc2 [3] http://www.trapkit.de/advisories/TKADV2008-005.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- wj8DBQFImhWKkXxgcAIbhEERAp2fAKDVdp2aYuNOcoD/DcX9ZboG6dmUZgCgroua n6SDMxTBuKih0OnYbI78Xu0= =wfdh -----END PGP SIGNATURE-----