SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel Double-Free Memory Error in MIDI Driver Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1041529
SecurityTracker URL:  http://securitytracker.com/id/1041529
CVE Reference:   CVE-2018-10902   (Links to External Site)
Date:  Aug 21 2018
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the Linux kernel. A local user can obtain elevated privileges on the target system.

A local user can trigger a double-free memory error in snd_rawmidi_input_params() and snd_rawmidi_output_status() in 'rawmidi.c' to execute arbitrary code on the target system with elevated privileges.

9462acee94608ea1643688d026aa95dd (via Trend Micro Zero Day Initiative) reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a source code fix, available at:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39675f7a7c7e7702f7d5341f1e0d01db746543a0

Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   Access control error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 3 2018 (Ubuntu Issues Fix) Linux Kernel Double-Free Memory Error in MIDI Driver Lets Local Users Gain Elevated Privileges
Ubuntu has issued a fix for Ubuntu Linux 16.04 LTS.
Oct 30 2018 (Red Hat Issues Fix) Linux Kernel Double-Free Memory Error in MIDI Driver Lets Local Users Gain Elevated Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 7.



 Source Message Contents

Subject:  [oss-security] CVE-2018-10902 - linux kernel - double free in midi subsystem

Gday,

The linux midi subsystem has a possible memory corruption flaw
accessing midi devices.

This was fixes upstream in commit
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39675f7a7c7e7702f7d5341f1e0d01db746543a0
(4.18 and newer not affected). Red hat has assigned CVE-2018-10902 for
this issue.

The raw midi kernel driver does not protect against concurrent access
which leads to a double-realloc (double free) in
snd_rawmidi_input_params() and snd_rawmidi_output_status() which are
part of snd_rawmidi_ioctl() handler in rawmidi.c file. Here is an
excerpt of the concerned code:

```
    if (params->buffer_size != runtime->buffer_size) {
        newbuf = krealloc(runtime->buffer, params->buffer_size,
                  GFP_KERNEL);
        if (!newbuf)
            return -ENOMEM;
        runtime->buffer = newbuf;
        runtime->buffer_size = params->buffer_size;
        runtime->avail = runtime->buffer_size;
    }
```

If a midi device is plugged in or emulated (which is the case under a
default VMware instance), then this device driver is reachable via
/dev/snd/midiC0D* interfaces.  This can lead to memory corruption and
all the fun that follows if abused correctly.

Thanks to ZDI has done the reporting to Red Hat,

https://bugzilla.redhat.com/show_bug.cgi?id=1590720

-- 
Wade Mealing

Product Security - Kernel, RHCE

Red Hat
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC