CVE-2022-48702
ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
The voice allocator sometimes begins allocating from near the end of the
array and then wraps around, however snd_emu10k1_pcm_channel_alloc()
accesses the newly allocated voices as if it never wrapped around.
This results in out of bounds access if the first voice has a high enough
index so that first_voice + requested_voice_count > NUM_G (64).
The more voices are requested, the more likely it is for this to occur.
This was initially discovered using PipeWire, however it can be reproduced
by calling aplay multiple times with 16 channels:
aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero
UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40
index 65 is out of range for type 'snd_emu10k1_voice [64]'
CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7
Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010
Call Trace:
<TASK>
dump_stack_lvl+0x49/0x63
dump_stack+0x10/0x16
ubsan_epilogue+0x9/0x3f
__ubsan_handle_out_of_bounds.cold+0x44/0x49
snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]
snd_pcm_hw_params+0x29f/0x600 [snd_pcm]
snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]
? exit_to_user_mode_prepare+0x35/0x170
? do_syscall_64+0x69/0x90
? syscall_exit_to_user_mode+0x26/0x50
? do_syscall_64+0x69/0x90
? exit_to_user_mode_prepare+0x35/0x170
snd_pcm_ioctl+0x27/0x40 [snd_pcm]
__x64_sys_ioctl+0x95/0xd0
do_syscall_64+0x5c/0x90
? do_syscall_64+0x69/0x90
? do_syscall_64+0x69/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ALSA: emu10k1: corrige el acceso fuera de los límites en snd_emu10k1_pcm_channel_alloc() El asignador de voz a veces comienza a asignar desde cerca del final de la matriz y luego regresa, sin embargo, snd_emu10k1_pcm_channel_alloc() accede al nuevo asignó voces como si nunca hubiera terminado. Esto da como resultado un acceso fuera de los límites si la primera voz tiene un índice lo suficientemente alto como para que primera_voz + recuento_de_voces_solicitadas > NUM_G (64). Cuantas más voces se soliciten, más probabilidades habrá de que esto ocurra. Esto se descubrió inicialmente usando PipeWire, sin embargo, se puede reproducir llamando a aplay varias veces con 16 canales: aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero UBSAN: array-index-out -of-bounds en sound/pci/emu10k1/emupcm.c:127:40 el índice 65 está fuera de rango para el tipo 'snd_emu10k1_voice [64]' CPU: 1 PID: 31977 Comm: aplay Contaminado: GW IOE 6.0.0-rc2 -emu10k1+ #7 Nombre del hardware: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 22/07/2010 Seguimiento de llamadas: dump_stack_lvl+0x49/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x3f __ubsan_handle_out_of_bounds.cold + 0x44/0x49 snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1] snd_pcm_hw_params+0x29f/0x600 [snd_pcm] snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm] ? exit_to_user_mode_prepare+0x35/0x170? do_syscall_64+0x69/0x90? syscall_exit_to_user_mode+0x26/0x50? do_syscall_64+0x69/0x90? exit_to_user_mode_prepare+0x35/0x170 snd_pcm_ioctl+0x27/0x40 [snd_pcm] __x64_sys_ioctl+0x95/0xd0 do_syscall_64+0x5c/0x90 ? do_syscall_64+0x69/0x90? do_syscall_64+0x69/0x90 entrada_SYSCALL_64_after_hwframe+0x63/0xcd
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-03 CVE Reserved
- 2024-05-03 CVE Published
- 2024-05-04 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 4.9.328 Search vendor "Linux" for product "Linux Kernel" and version " < 4.9.328" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 4.14.293 Search vendor "Linux" for product "Linux Kernel" and version " < 4.14.293" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 4.19.258 Search vendor "Linux" for product "Linux Kernel" and version " < 4.19.258" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.4.213 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.213" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.10.143 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.143" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.15.68 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.68" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.19.9 Search vendor "Linux" for product "Linux Kernel" and version " < 5.19.9" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " < 6.0" | en |
Affected
| ||||||