| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022633-CVE-2022-49292-b60c@gregkh> Date: Wed, 26 Feb 2025 02:58:17 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49292: ALSA: oss: Fix PCM OSS buffer allocation overflow Description =========== In the Linux kernel, the following vulnerability has been resolved: ALSA: oss: Fix PCM OSS buffer allocation overflow We've got syzbot reports hitting INT_MAX overflow at vmalloc() allocation that is called from snd_pcm_plug_alloc(). Although we apply the restrictions to input parameters, it's based only on the hw_params of the underlying PCM device. Since the PCM OSS layer allocates a temporary buffer for the data conversion, the size may become unexpectedly large when more channels or higher rates is given; in the reported case, it went over INT_MAX, hence it hits WARN_ON(). This patch is an attempt to avoid such an overflow and an allocation for too large buffers. First off, it adds the limit of 1MB as the upper bound for period bytes. This must be large enough for all use cases, and we really don't want to handle a larger temporary buffer than this size. The size check is performed at two places, where the original period bytes is calculated and where the plugin buffer size is calculated. In addition, the driver uses array_size() and array3_size() for multiplications to catch overflows for the converted period size and buffer bytes. The Linux kernel CVE team has assigned CVE-2022-49292 to this issue. Affected and fixed versions =========================== Fixed in 4.19.237 with commit a63af1baf0a5e11827db60e3127f87e437cab6e5 Fixed in 5.4.188 with commit 0c4190b41a69990666b4000999e27f8f1b2a426b Fixed in 5.10.109 with commit 5ce74ff7059341d8b2f4d01c3383491df63d1898 Fixed in 5.15.32 with commit 7a40cbf3579a8e14849ba7ce46309c1992658d2b Fixed in 5.16.18 with commit fb08bf99195a87c798bc8ae1357337a981faeade Fixed in 5.17.1 with commit e74a069c6a7bb505f3ade141dddf85f4b0b5145a Fixed in 5.18 with commit efb6402c3c4a7c26d97c92d70186424097b6e366 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49292 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: sound/core/oss/pcm_oss.c sound/core/oss/pcm_plugin.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a63af1baf0a5e11827db60e3127f87e437cab6e5 https://git.kernel.org/stable/c/0c4190b41a69990666b4000999e27f8f1b2a426b https://git.kernel.org/stable/c/5ce74ff7059341d8b2f4d01c3383491df63d1898 https://git.kernel.org/stable/c/7a40cbf3579a8e14849ba7ce46309c1992658d2b https://git.kernel.org/stable/c/fb08bf99195a87c798bc8ae1357337a981faeade https://git.kernel.org/stable/c/e74a069c6a7bb505f3ade141dddf85f4b0b5145a https://git.kernel.org/stable/c/efb6402c3c4a7c26d97c92d70186424097b6e366
Powered by blists - more mailing lists