Vigil@nce: NetBSD, denial of service via azalia/hdaudio
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can query the azalia and hdaudio drivers, in
order to stop the system.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 03/02/2010
IMPACTED PRODUCTS
– NetBSD
DESCRIPTION OF THE VULNERABILITY
The azalia/hdaudio driver of the NetBSD kernel implements the
support of Intel High Definition audio devices.
The azalia_query_devinfo() function of azalia.c and the
hdaudio_afg_query_devinfo() function of hdaudio.c implement the
query_devinfo interface of the audio_hw_if structure:
x_query_devinfo(void *opaque, mixer_devinfo_t *mdev);
These functions are called when the user wants information on the
device.
However, if the mdev->index field is negative, these functions try
to read information on a mixer with an index outside the array.
This forces a read at an invalid memory address.
A local attacker can therefore query the azalia and hdaudio
drivers, in order to stop the system.
CHARACTERISTICS
Identifiers: BID-38057, NetBSD-SA2010-003, VIGILANCE-VUL-9404
http://vigilance.fr/vulnerability/NetBSD-denial-of-service-via-azalia-hdaudio-9404