integer overflow in snd_compr_allocate_buffer() in kernel-ALSA-compress_core CVE-2012-6703 CVE-2014-9904

Tracked by Jolla (Rejected)

asked 2017-07-20 12:10:15 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-11-29 18:28:23 +0200

lpr gravatar image

Integer overflow in the snd_compr_allocate_buffer function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.6-rc6-next-20120917 allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call. high (attack range: local)

The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call. high (attack range: local)

Broken Patch available, which is fixed by this patch.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/sound/core/compress_offload.c lines 414-419

edit 20171129: sfos 2.1.3.7 still not patched...

edit retag flag offensive close delete

Comments

1

@jovirkku this should have a "tracked by jolla" label

lpr ( 2017-09-19 09:41:57 +0200 )edit