The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel before 2.6.37 incorrectly expects that a certain name field ends with a '\0' character, which allows local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call.
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
Link | Tags |
---|---|
http://openwall.com/lists/oss-security/2010/12/31/4 | third party advisory mailing list |
https://bugzilla.redhat.com/show_bug.cgi?id=667615 | issue tracking third party advisory patch |
http://xorl.wordpress.com/2011/01/09/cve-2010-4527-linux-kernel-oss-sound-card-driver-buffer-overflow/ | third party advisory exploit |
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37 | broken link |
http://www.securityfocus.com/bid/45629 | vdb entry third party advisory |
http://openwall.com/lists/oss-security/2010/12/31/1 | mailing list third party advisory patch |
http://secunia.com/advisories/42765 | third party advisory |
http://www.vupen.com/english/advisories/2011/0375 | vdb entry third party advisory |
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00002.html | mailing list third party advisory vendor advisory |
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=d81a12bc29ae4038770e05dce4ab7f26fd5880fb | |
http://secunia.com/advisories/43291 | third party advisory |