Re: CVE request: kernel: buffer overflow in OSS load_mixer_volumes

[Huzaifa Sidhpurwala <huzaifas () redhat com>]

On 12/31/2010 05:32 AM, Dan Rosenberg wrote:
> "The load_mixer_volumes() function, which can be triggered by
> unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
> a buffer overflow.  Because the provided 'name' argument isn't
> guaranteed to be NULL terminated at the expected 32 bytes, it's possible
> to overflow past the end of the last element in the mixer_vols array.
> Further exploitation can result in an arbitrary kernel write (via
> subsequent calls to load_mixer_volumes()) leading to privilege
> escalation, or arbitrary kernel reads via get_mixer_levels().  In
> addition, the strcmp() may leak bytes beyond the mixer_vols array."

Please use CVE-2010-4527 for this one.


-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team