In the Linux kernel, the following vulnerability has been resolved: ALSA:
emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() The
voice allocator sometimes begins allocating from near the end of the array
and then wraps around, however snd_emu10k1_pcm_channel_alloc() accesses the
newly allocated voices as if it never wrapped around. This results in out
of bounds access if the first voice has a high enough index so that
first_voice + requested_voice_count > NUM_G (64). The more voices are
requested, the more likely it is for this to occur. This was initially
discovered using PipeWire, however it can be reproduced by calling aplay
multiple times with 16 channels: aplay -r 48000 -D plughw:CARD=Live,DEV=3
-c 16 /dev/zero UBSAN: array-index-out-of-bounds in
sound/pci/emu10k1/emupcm.c:127:40 index 65 is out of range for type
‘snd_emu10k1_voice [64]’ CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE
6.0.0-rc2-emu10k1+ #7 Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W
DH Deluxe, BIOS 3002 07/22/2010 Call Trace: <TASK> dump_stack_lvl+0x49/0x63
dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x3f
__ubsan_handle_out_of_bounds.cold+0x44/0x49
snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]
snd_pcm_hw_params+0x29f/0x600 [snd_pcm] snd_pcm_common_ioctl+0x188/0x1410
[snd_pcm] ? exit_to_user_mode_prepare+0x35/0x170 ? do_syscall_64+0x69/0x90
? syscall_exit_to_user_mode+0x26/0x50 ? do_syscall_64+0x69/0x90 ?
exit_to_user_mode_prepare+0x35/0x170 snd_pcm_ioctl+0x27/0x40 [snd_pcm]
__x64_sys_ioctl+0x95/0xd0 do_syscall_64+0x5c/0x90 ? do_syscall_64+0x69/0x90
? do_syscall_64+0x69/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/d29f59051d3a07b81281b2df2b8c9dfe4716067f (6.0-rc5)
git.kernel.org/stable/c/39a90720f3abe96625d1224e7a7463410875de4c
git.kernel.org/stable/c/4204a01ffce97cae1d59edc5848f02be5b2b9178
git.kernel.org/stable/c/45321a7d02b7cf9b3f97e3987fc1e4d649b82da2
git.kernel.org/stable/c/45814a53514e10a8014906c882e0d0d38df39cc1
git.kernel.org/stable/c/637c5310acb48fffcc5657568db3f3e9bc719bfa
git.kernel.org/stable/c/6b0e260ac3cf289e38446552461caa65e6dab275
git.kernel.org/stable/c/88aac6684cf8bc885cca15463cb4407e91f28ff7
git.kernel.org/stable/c/d29f59051d3a07b81281b2df2b8c9dfe4716067f
launchpad.net/bugs/cve/CVE-2022-48702
nvd.nist.gov/vuln/detail/CVE-2022-48702
security-tracker.debian.org/tracker/CVE-2022-48702
www.cve.org/CVERecord?id=CVE-2022-48702