integer overflow in snd_compr_allocate_buffer() in kernel-ALSA-compress_core CVE-2012-6703 CVE-2014-9904

asked 2017-07-20 12:10:15 +0300

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-11-29 18:28:23 +0300

lpr
4819 ●186 ●253 ●257

http://www.uni-tuebingen....

Integer overflow in the snd_compr_allocate_buffer function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.6-rc6-next-20120917 allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call. high (attack range: local)

The snd_compress_check_input function in sound/core/compress_offload.c in the ALSA subsystem in the Linux kernel before 3.17 does not properly check for an integer overflow, which allows local users to cause a denial of service (insufficient memory allocation) or possibly have unspecified other impact via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl call. high (attack range: local)

Broken Patch available, which is fixed by this patch.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/sound/core/compress_offload.c lines 414-419

edit 20171129: sfos 2.1.3.7 still not patched...