Vigil@nce - Linux kernel: memory corruption via snd_ctl_new
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the SNDRV_CTL_IOCTL_ELEM_ADD and
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls, in order to corrupt the
memory, which leads to a denial of service or to code execution.
Severity: 2/4
Creation date: 29/09/2010
DESCRIPTION OF THE VULNERABILITY
The SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE
ioctls control audio devices. They are called on
/dev/snd/controlC*, whose access is usually restricted to members
of the "audio" group.
These ioctls call the snd_ctl_new() function in
sound/core/control.c. This function allocates a memory area to
store an array of snd_kcontrol structures. However, if the number
of items is too high, an integer overflow occurs, and corrupts the
memory.
A local attacker can therefore use the SNDRV_CTL_IOCTL_ELEM_ADD
and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls, in order to corrupt the
memory, which leads to a denial of service or to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-via-snd-ctl-new-9986