Possible crash due to sprintf overrun in snd_pcm_hw_open
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| alsa-lib (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
I'm not sure if this is a serious security issue, a theoretical one, or not a security issue at all (just a bug).
Anyway, in src/pcm/pcm_hw.c, there is a function snd_pcm_hw_open. The filename array is not large enough to fit if the "card" and "device" variables are being called with values so large that nobody but an attacker would use them.
At least this is relevant on amd64, and maybe on i386 as well, if the number is a large negative number.
The obivous fix as I see it would be to change sprintf to snprintf.
Here's the relevant code quoted:
int snd_pcm_
int card, int device, int subdevice,
snd_
int mmap_emulation, int sync_ptr_ioctl)
{
char filename[
const char *filefmt;
/* .... */
switch (stream) {
case SND_PCM_
filefmt = SNDRV_FILE_
break;
case SND_PCM_
filefmt = SNDRV_FILE_
break;
default:
SNDERR("invalid stream %d", stream);
return -EINVAL;
}
sprintf(filename, filefmt, card, device);
| Changed in alsa-lib (Ubuntu): | |
| assignee: | nobody → Kees Cook (kees) |
| status: | New → Confirmed |
| Kees Cook (kees) wrote | #1 |
| security vulnerability: | yes → no |
| visibility: | private → public |
| summary: |
- Possible sprintf overrun in snd_pcm_hw_open + Possible crash due to sprintf overrun in snd_pcm_hw_open |
| Changed in alsa-lib (Ubuntu): | |
| assignee: | Kees Cook (kees) → nobody |
| David Henningsson (diwic) wrote | #2 |
Are there any programs running with higher privs that will take an audio device as input? Regardless, since Intrepid, alsa-lib is compiled with -D_FORITFY_SOURCE=2 which will automatically convert all the sprintf() calls to snprintf().