| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025051909-CVE-2025-37891-5344@gregkh> Date: Mon, 19 May 2025 09:19:10 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-37891: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion The conversion function from MIDI 1.0 to UMP packet contains an internal buffer to keep the incoming MIDI bytes, and its size is 4, as it was supposed to be the max size for a MIDI1 UMP packet data. However, the implementation overlooked that SysEx is handled in a different format, and it can be up to 6 bytes, as found in do_convert_to_ump(). It leads eventually to a buffer overflow, and may corrupt the memory when a longer SysEx message is received. The fix is simply to extend the buffer size to 6 to fit with the SysEx UMP message. The Linux kernel CVE team has assigned CVE-2025-37891 to this issue. Affected and fixed versions =========================== Issue introduced in 6.5 with commit 0b5288f5fe63eab687c14e5940b9e0d532b129f2 and fixed in 6.6.90 with commit ce4f77bef276e7d2eb7ab03a5d08bcbaa40710ec Issue introduced in 6.5 with commit 0b5288f5fe63eab687c14e5940b9e0d532b129f2 and fixed in 6.12.28 with commit 226beac5605afbb33f8782148d188b64396145a4 Issue introduced in 6.5 with commit 0b5288f5fe63eab687c14e5940b9e0d532b129f2 and fixed in 6.14.6 with commit 42ef48dd4ebb082a1a90b5c3feeda2e68a9e32fe Issue introduced in 6.5 with commit 0b5288f5fe63eab687c14e5940b9e0d532b129f2 and fixed in 6.15-rc5 with commit 56f1f30e6795b890463d9b20b11e576adf5a2f77 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-37891 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/sound/ump_convert.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ce4f77bef276e7d2eb7ab03a5d08bcbaa40710ec https://git.kernel.org/stable/c/226beac5605afbb33f8782148d188b64396145a4 https://git.kernel.org/stable/c/42ef48dd4ebb082a1a90b5c3feeda2e68a9e32fe https://git.kernel.org/stable/c/56f1f30e6795b890463d9b20b11e576adf5a2f77
Powered by blists - more mailing lists