Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 514908 (CVE-2014-4652)

Summary: Kernel: Linux kernel ALSA core control API vulnerabilities (CVE-2014-{4652,4653,4654,4655,4656})
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: RESOLVED FIXED    
Severity: normal CC: kernel
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q2/629
Whiteboard:
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-24 11:59:13 UTC
From ${URL}: 

Several ALSA fixes have been committed to the Linux kernel git that fix several
use-after-free and out-of-bounds memory access vulnerabilities in the Linux kernel.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=07f4d9d74a04aa7c72c5dae0ef97565f28f17b92

Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:31 2014 +0200

    ALSA: control: Protect user controls against concurrent access
(memory information disclosure or even overwrite)

--


https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=82262a46627bebb0febcc26664746c25cef08563
commit 82262a46627bebb0febcc26664746c25cef08563
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:32 2014 +0200

    ALSA: control: Fix replacing user controls
(user after free)

--
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=fd9f26e4eca5d08a27d12c0933fceef76ed9663d
commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:33 2014 +0200

    ALSA: control: Don't access controls outside of protected regions
(use after free)
--
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=ac902c112d90a89e59916f751c2745f4dbdbb4bd
ac902c112d90a89e59916f751c2745f4dbdbb4bd
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:34 2014 +0200

    ALSA: control: Handle numid overflow

--
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/sound/core/control.c?id=883a1d49f0d77d30012f114b2e19fc141beb3e8e
commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Jun 18 13:32:35 2014 +0200

    ALSA: control: Make sure that id->index does not overflow
(denial of service/memory leak?)
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-24 12:18:04 UTC
In addition to the information in ${URL} (what is included from it in this bug report is just a summary listing the various patches), additional information is available in http://seclists.org/oss-sec/2014/q2/630
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:50:04 UTC
CVE-2014-4656 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4656):
  Multiple integer overflows in sound/core/control.c in the ALSA control
  implementation in the Linux kernel before 3.15.2 allow local users to cause
  a denial of service by leveraging /dev/snd/controlCX access, related to (1)
  index values in the snd_ctl_add function and (2) numid values in the
  snd_ctl_remove_numid_conflict function.

CVE-2014-4655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4655):
  The snd_ctl_elem_add function in sound/core/control.c in the ALSA control
  implementation in the Linux kernel before 3.15.2 does not properly maintain
  the user_ctl_count value, which allows local users to cause a denial of
  service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX
  access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.

CVE-2014-4654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4654):
  The snd_ctl_elem_add function in sound/core/control.c in the ALSA control
  implementation in the Linux kernel before 3.15.2 does not check
  authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local
  users to remove kernel controls and cause a denial of service
  (use-after-free and system crash) by leveraging /dev/snd/controlCX access
  for an ioctl call.

CVE-2014-4653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4653):
  sound/core/control.c in the ALSA control implementation in the Linux kernel
  before 3.15.2 does not ensure possession of a read/write lock, which allows
  local users to cause a denial of service (use-after-free) and obtain
  sensitive information from kernel memory by leveraging /dev/snd/controlCX
  access.

CVE-2014-4652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4652):
  Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv
  function in sound/core/control.c in the ALSA control implementation in the
  Linux kernel before 3.15.2 allows local users to obtain sensitive
  information from kernel memory by leveraging /dev/snd/controlCX access.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-25 00:05:15 UTC
All patches in mainline 3.16 onward