SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   NetBSD Vendors:   NetBSD
NetBSD Audio Subsystem May Let Local Users Crash the System
SecurityTracker Alert ID:  1016004
SecurityTracker URL:  http://securitytracker.com/id/1016004
CVE Reference:   CVE-2006-2205   (Links to External Site)
Updated:  Aug 15 2009
Original Entry Date:  Apr 27 2006
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.0
Description:   A vulnerability was reported in NetBSD. A local user can cause denial of service conditions.

A local user can change the sample rate of an audio device during playback to cause the target system to crash.

The audio_write() function does not check to determine if the filter list has been changed while the function is in the process of reading data. A local user can cause the audiosetinfo() function to change the filter during this process to cause the kernel to crash.

Versions prior to 3.0 are not affected.

Christian Biere reported this vulnerability.

Impact:   A local user can cause denial of service conditions on the target system.
Solution:   The vendor has issued a fix and has provided the following solution information [quoted]:

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.

The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:

ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -d -P sys/dev/audio.c
# cvs update -d -P sys/dev/audio_if.h
# cvs update -d -P sys/dev/audiovar.h
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now

For more information on how to do this, see:

http://www.NetBSD.org/guide/en/chap-kernel.html

The NetBSD advisory is available at:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-014.txt.asc

Vendor URL:  www.netbsd.org/ (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  NetBSD Security Advisory 2006-014: An audio subsystem race condition

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2006-014
		 =================================

Topic:		An audio subsystem race condition may crash the system

Version:	NetBSD-current:	source prior to April 19, 2006
		NetBSD 3.0:	source prior to April 19, 2006
		NetBSD 2.1:     not affected
		NetBSD 2.0.*:   not affected
		NetBSD 2.0:     not affected
		NetBSD 1.6.*:   not affected
		NetBSD 1.6:     not affected

Severity:	Any local user can crash the system

Fixed:		NetBSD-current:		April 19, 2006
		NetBSD-3-0 branch:	April 19, 2006
					(3.0.1 will include the fix)
		NetBSD-3   branch:	April 19, 2006

Abstract
========

A system crash can occur if a user changes the sample rate of an audio
device during playback.

Technical Details
=================

If the filter list is modified while audio_write() is running, a
kernel crash may occur. While the function is reading data from
userland, it does not check to see if the filter has been changed (via
audiosetinfo ioctl).

The audio_write() function reads data from userland in a loop, runs
any required filters (eg. rate conversion, changing encoding, etc) and
passes the data along to a circular audio buffer. The function
neglected to properly lock against the audiosetinfo() function.

Since this bug was introduced with the new audio filter framework in
NetBSD 3.0, prior releases are unaffected.

Solutions and Workarounds
=========================

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.

The following instructions briefly summarise how to upgrade your
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and 
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P sys/dev/audio.c
        # cvs update -d -P sys/dev/audio_if.h
        # cvs update -d -P sys/dev/audiovar.h
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

   http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Christian Biere for reporting the issue and testing.
Jared D. McNeill for implementing the fixes.

Revision History
================

	2006-04-27	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-014.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2006-014.txt,v 1.8 2006/04/27 08:26:30 dan Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)

iQCVAwUBRFEK4j5Ru2/4N2IFAQIfDQP8DA79xLhwZdWSUDin1eZvIJAn3jBdvbpY
T2GpZoOam750XBbjXP+Y43CNEWOd9yS8tYhLW86cOgJeoqY4DJLeRsQ28f3MVwb7
WsxRZqNT7obGBAzkqXuDnWR1JvzPiYfeUASjNrXPT/ht0thFB8QApe41lDGJm2Js
YxQejoxe1sg=
=jkKy
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC