cve/published/2022/CVE-2022-48702.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48702: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()

 The voice allocator sometimes begins allocating from near the end of the
 array and then wraps around, however snd_emu10k1_pcm_channel_alloc()
 accesses the newly allocated voices as if it never wrapped around.

 This results in out of bounds access if the first voice has a high enough
 index so that first_voice + requested_voice_count > NUM_G (64).
 The more voices are requested, the more likely it is for this to occur.

 This was initially discovered using PipeWire, however it can be reproduced
 by calling aplay multiple times with 16 channels:
 aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero

 UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40
 index 65 is out of range for type 'snd_emu10k1_voice [64]'
 CPU: 1 PID: 31977 Comm: aplay Tainted: G        W IOE      6.0.0-rc2-emu10k1+ #7
 Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002    07/22/2010
 Call Trace:
 <TASK>
 dump_stack_lvl+0x49/0x63
 dump_stack+0x10/0x16
 ubsan_epilogue+0x9/0x3f
 __ubsan_handle_out_of_bounds.cold+0x44/0x49
 snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]
 snd_pcm_hw_params+0x29f/0x600 [snd_pcm]
 snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]
 ? exit_to_user_mode_prepare+0x35/0x170
 ? do_syscall_64+0x69/0x90
 ? syscall_exit_to_user_mode+0x26/0x50
 ? do_syscall_64+0x69/0x90
 ? exit_to_user_mode_prepare+0x35/0x170
 snd_pcm_ioctl+0x27/0x40 [snd_pcm]
 __x64_sys_ioctl+0x95/0xd0
 do_syscall_64+0x5c/0x90
 ? do_syscall_64+0x69/0x90
 ? do_syscall_64+0x69/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

 The Linux kernel CVE team has assigned CVE-2022-48702 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.328 with commit 637c5310acb48fffcc5657568db3f3e9bc719bfa
 	Fixed in 4.14.293 with commit 6b0e260ac3cf289e38446552461caa65e6dab275
 	Fixed in 4.19.258 with commit 88aac6684cf8bc885cca15463cb4407e91f28ff7
 	Fixed in 5.4.213 with commit 45321a7d02b7cf9b3f97e3987fc1e4d649b82da2
 	Fixed in 5.10.143 with commit 39a90720f3abe96625d1224e7a7463410875de4c
 	Fixed in 5.15.68 with commit 45814a53514e10a8014906c882e0d0d38df39cc1
 	Fixed in 5.19.9 with commit 4204a01ffce97cae1d59edc5848f02be5b2b9178
 	Fixed in 6.0 with commit d29f59051d3a07b81281b2df2b8c9dfe4716067f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48702
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	sound/pci/emu10k1/emupcm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa
 	https://git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275
 	https://git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7
 	https://git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2
 	https://git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c
 	https://git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1
 	https://git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178
 	https://git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48702: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()

	The voice allocator sometimes begins allocating from near the end of the
	array and then wraps around, however snd_emu10k1_pcm_channel_alloc()
	accesses the newly allocated voices as if it never wrapped around.

	This results in out of bounds access if the first voice has a high enough
	index so that first_voice + requested_voice_count > NUM_G (64).
	The more voices are requested, the more likely it is for this to occur.

	This was initially discovered using PipeWire, however it can be reproduced
	by calling aplay multiple times with 16 channels:
	aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero

	UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40
	index 65 is out of range for type 'snd_emu10k1_voice [64]'
	CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7
	Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010
	Call Trace:
	<TASK>
	dump_stack_lvl+0x49/0x63
	dump_stack+0x10/0x16
	ubsan_epilogue+0x9/0x3f
	__ubsan_handle_out_of_bounds.cold+0x44/0x49
	snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]
	snd_pcm_hw_params+0x29f/0x600 [snd_pcm]
	snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]
	? exit_to_user_mode_prepare+0x35/0x170
	? do_syscall_64+0x69/0x90
	? syscall_exit_to_user_mode+0x26/0x50
	? do_syscall_64+0x69/0x90
	? exit_to_user_mode_prepare+0x35/0x170
	snd_pcm_ioctl+0x27/0x40 [snd_pcm]
	__x64_sys_ioctl+0x95/0xd0
	do_syscall_64+0x5c/0x90
	? do_syscall_64+0x69/0x90
	? do_syscall_64+0x69/0x90
	entry_SYSCALL_64_after_hwframe+0x63/0xcd

	The Linux kernel CVE team has assigned CVE-2022-48702 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.328 with commit 637c5310acb48fffcc5657568db3f3e9bc719bfa
	Fixed in 4.14.293 with commit 6b0e260ac3cf289e38446552461caa65e6dab275
	Fixed in 4.19.258 with commit 88aac6684cf8bc885cca15463cb4407e91f28ff7
	Fixed in 5.4.213 with commit 45321a7d02b7cf9b3f97e3987fc1e4d649b82da2
	Fixed in 5.10.143 with commit 39a90720f3abe96625d1224e7a7463410875de4c
	Fixed in 5.15.68 with commit 45814a53514e10a8014906c882e0d0d38df39cc1
	Fixed in 5.19.9 with commit 4204a01ffce97cae1d59edc5848f02be5b2b9178
	Fixed in 6.0 with commit d29f59051d3a07b81281b2df2b8c9dfe4716067f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48702
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	sound/pci/emu10k1/emupcm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa
	https://git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275
	https://git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7
	https://git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2
	https://git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c
	https://git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1
	https://git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178
	https://git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f