发布日期:2010-09-08
更新日期:2010-09-09
受影响系统:
Linux kernel 2.6.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 43062
CVE ID: CVE-2010-3080
Linux Kernel是开放源码操作系统Linux所使用的内核。
Linux Kernel的sound/core/seq/oss/seq_oss_init.c文件中的snd_seq_oss_open函数存在内存破坏漏洞。以下是一些创建失败的错误路径:
_error:
snd_seq_oss_writeq_delete(dp->writeq);
snd_seq_oss_readq_delete(dp->readq);
snd_seq_oss_synth_cleanup(dp);
snd_seq_oss_midi_cleanup(dp);
delete_port(dp);
delete_seq_queue(dp->queue);
kfree(dp);
delete_port所调用的port_delete对seq_oss_devinfo结构执行了free_devinfo(seq_ports.c中大约269行):
if (port->private_free)
port->private_free(port->private_data);
由于以下代码(seq_oss_init.c文件中约334行):
memset(&callback, 0, sizeof(callback));
callback.owner = THIS_MODULE;
callback.private_data = dp;
callback.event_input = snd_seq_oss_event_input;
callback.private_free = free_devinfo;
port.kernel = &callback;
执行了:
static void
free_devinfo(void *private)
{
struct seq_oss_devinfo *dp = (struct seq_oss_devinfo *)private;
if (dp->timer)
snd_seq_oss_timer_delete(dp->timer);
if (dp->writeq)
snd_seq_oss_writeq_delete(dp->writeq);
if (dp->readq)
snd_seq_oss_readq_delete(dp->readq);
kfree(dp);
}
因此:
delete_port(dp);
delete_seq_queue(dp->queue); <= 引用已释放指针
kfree(dp); <= 双重释放
<*来源:Tavis Ormandy (taviso@gentoo.org)
链接:https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=630551
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Linux
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=c598337660c21c0afaa9df5a65bb4a7a0cf15be8