Release date:
Updated on:
Affected Systems:
Linux kernel 2.6.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 47009
Linux Kernel is the Kernel used by open source Linux.
Linux Kernel "sound/oss/opl3.c" has a local privilege escalation vulnerability. Local attackers can exploit this vulnerability to execute arbitrary code with the minimum privilege, completely control the affected computers, and cause DOS.
Controllable sound and channel value indexes can cause reading and writing outside the array, leading to memory corruption.
<* Source: Dan Rosenberg (drosenberg@vsecurity.com)
Link: http://marc.info /? I = linux-kernel & m = 130089499728386 & w = 2
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Dan Rosenberg (drosenberg@vsecurity.com) provides the following test methods:
---
Sound/oss/opl3.c | 15 ++ --
1 files changed, 13 insertions (+), 2 deletions (-)
Diff -- git a/sound/oss/opl3.c B/sound/oss/opl3.c
Index 938c48c.. e9d443e 100644
--- A/sound/oss/opl3.c
++ B/sound/oss/opl3.c
@-849,6 + 849,10 @ static int opl3_load_patch (int dev, int format, const char _ user * addr,
Static void opl3_panning (int dev, int voice, int value)
{
+
+ If (voice <0 | voice> = devc-> nr_voice)
+ Return;
+
Devc-> voc [voice]. panning = value;
}
@-1066,8 + 1070,15 @ static int opl3_alloc_voice (int dev, int chn, int note, struct voice_alloc_info
Static void opl3_setup_voice (int dev, int voice, int chn)
{
-Struct channel_info * info =
-& Synth_devs [dev]-> chn_info [chn];
+ Struct channel_info * info;
+
+ If (voice <0 | voice> = devc-> nr_voice)
+ Return;
+
+ If (chn <0 | chn> 15)
+ Return;
+
+ Info = & synth_devs [dev]-> chn_info [chn];
Opl3_set_instr (dev, voice, info-> pgm_num );
--
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Linux
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.kernel.org/