From ${URL}: Several ALSA fixes have been committed to the Linux kernel git that fix several use-after-free and out-of-bounds memory access vulnerabilities in the Linux kernel. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=07f4d9d74a04aa7c72c5dae0ef97565f28f17b92 Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:31 2014 +0200 ALSA: control: Protect user controls against concurrent access (memory information disclosure or even overwrite) -- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=82262a46627bebb0febcc26664746c25cef08563 commit 82262a46627bebb0febcc26664746c25cef08563 Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:32 2014 +0200 ALSA: control: Fix replacing user controls (user after free) -- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=fd9f26e4eca5d08a27d12c0933fceef76ed9663d commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:33 2014 +0200 ALSA: control: Don't access controls outside of protected regions (use after free) -- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=ac902c112d90a89e59916f751c2745f4dbdbb4bd ac902c112d90a89e59916f751c2745f4dbdbb4bd Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:34 2014 +0200 ALSA: control: Handle numid overflow -- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=883a1d49f0d77d30012f114b2e19fc141beb3e8e commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e Author: Lars-Peter Clausen <lars@metafoo.de> Date: Wed Jun 18 13:32:35 2014 +0200 ALSA: control: Make sure that id->index does not overflow (denial of service/memory leak?)
In addition to the information in ${URL} (what is included from it in this bug report is just a summary listing the various patches), additional information is available in http://seclists.org/oss-sec/2014/q2/630
CVE-2014-4656 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4656): Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. CVE-2014-4655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4655): The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. CVE-2014-4654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4654): The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. CVE-2014-4653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4653): sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4652): Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
All patches in mainline 3.16 onward