integer overflow in snd_compr_allocate_buffer() in kernel-ALSA-compress_core CVE-2012-6703 CVE-2014-9904
asked 2017-07-20 12:10:15 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
Integer overflow in the snd_compr_allocate_buffer function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.6-rc6-next-20120917 allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call. high (attack range: local)
The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call. high (attack range: local)
Broken Patch available, which is fixed by this patch.
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/sound/core/compress_offload.c lines 414-419
edit 20171129: sfos 2.1.3.7 still not patched...
@jovirkku this should have a "tracked by jolla" label
lpr ( 2017-09-19 09:41:57 +0200 )edit