Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NetBSD Audio Subsystem May Let Local Users Crash the System
|
|
SecurityTracker Alert ID: 1016004
|
|
SecurityTracker URL: http://securitytracker.com/id?1016004
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 27 2006
|
Impact: Denial of service via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: NetBSD Security Advisory
|
Version(s): 3.0
|
Description: A vulnerability was reported in NetBSD. A local user can cause denial of service conditions.
A local user can change the sample rate of an audio device during playback to cause the target system to crash.
The audio_write()
function does not check to determine if the filter list has been changed while the function is in the process of reading data.
A local user can cause the audiosetinfo() function to change the filter during this process to cause the kernel to crash.
Versions
prior to 3.0 are not affected.
Christian Biere reported this vulnerability.
|
Impact: A local user can cause denial of service conditions on the target system.
|
Solution: The vendor has issued a fix and has provided the following solution information [quoted]:
For all NetBSD versions, you need to
obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from
the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions,
replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To
update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/dev/audio.c
#
cvs update -d -P sys/dev/audio_if.h
# cvs update -d -P sys/dev/audiovar.h
# ./build.sh kernel=KERNCONF
# mv /netbsd
/netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this,
see:
http://www.NetBSD.org/guide/en/chap-kernel.html
The NetBSD advisory is available at:
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-
014.txt.asc
|
Vendor URL: www.netbsd.org/ (Links to External Site)
|
Cause: State error
|
Underlying OS: UNIX (NetBSD)
|
Reported By: NetBSD Security-Officer <security-officer@NetBSD.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 27 Apr 2006 21:40:46 +0100
From: NetBSD Security-Officer <security-officer@NetBSD.org>
Subject: NetBSD Security Advisory 2006-014: An audio subsystem race condition
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2006-014
=================================
Topic: An audio subsystem race condition may crash the system
Version: NetBSD-current: source prior to April 19, 2006
NetBSD 3.0: source prior to April 19, 2006
NetBSD 2.1: not affected
NetBSD 2.0.*: not affected
NetBSD 2.0: not affected
NetBSD 1.6.*: not affected
NetBSD 1.6: not affected
Severity: Any local user can crash the system
Fixed: NetBSD-current: April 19, 2006
NetBSD-3-0 branch: April 19, 2006
(3.0.1 will include the fix)
NetBSD-3 branch: April 19, 2006
Abstract
========
A system crash can occur if a user changes the sample rate of an audio
device during playback.
Technical Details
=================
If the filter list is modified while audio_write() is running, a
kernel crash may occur. While the function is reading data from
userland, it does not check to see if the filter has been changed (via
audiosetinfo ioctl).
The audio_write() function reads data from userland in a loop, runs
any required filters (eg. rate conversion, changing encoding, etc) and
passes the data along to a circular audio buffer. The function
neglected to properly lock against the audiosetinfo() function.
Since this bug was introduced with the new audio filter framework in
NetBSD 3.0, prior releases are unaffected.
Solutions and Workarounds
=========================
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P sys/dev/audio.c
# cvs update -d -P sys/dev/audio_if.h
# cvs update -d -P sys/dev/audiovar.h
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.NetBSD.org/guide/en/chap-kernel.html
Thanks To
=========
Christian Biere for reporting the issue and testing.
Jared D. McNeill for implementing the fixes.
Revision History
================
2006-04-27 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-014.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2006-014.txt,v 1.8 2006/04/27 08:26:30 dan Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)
iQCVAwUBRFEK4j5Ru2/4N2IFAQIfDQP8DA79xLhwZdWSUDin1eZvIJAn3jBdvbpY
T2GpZoOam750XBbjXP+Y43CNEWOd9yS8tYhLW86cOgJeoqY4DJLeRsQ28f3MVwb7
WsxRZqNT7obGBAzkqXuDnWR1JvzPiYfeUASjNrXPT/ht0thFB8QApe41lDGJm2Js
YxQejoxe1sg=
=jkKy
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
