Bug 986941 (CVE-2012-6703) - VUL-0: CVE-2012-6703: kernel-source: alsa: integer overflow in ALSA snd_compress_check_input
Summary: VUL-0: CVE-2012-6703: kernel-source: alsa: integer overflow in ALSA snd_compr...
Status: RESOLVED FIXED
Alias: CVE-2012-6703
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170551/
Whiteboard: CVSSv2:SUSE:CVE-2012-6703:3.3:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-29 09:38 UTC by Marcus Meissner
Modified: 2020-06-29 06:25 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-29 09:38:05 UTC 
CVE-2012-6703

original fix for a integer overflow.

the code is not called in our kernel.

commit b35cc8225845112a616e3a2266d2fde5ab13d3ab
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Sep 5 15:32:18 2012 +0300

    ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
    
    These are 32 bit values that come from the user, we need to check for
    integer overflows or we could end up allocating a smaller buffer than
    expected.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index eb60cb8..68fe02c 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
        unsigned int buffer_size;
        void *buffer;
 
+       if (params->buffer.fragment_size == 0 ||
+           params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+               return -EINVAL;
+
        buffer_size = params->buffer.fragment_size * params->buffer.fragments;
        if (stream->ops->copy) {
                buffer = NULL;

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6703
http://seclists.org/oss-sec/2016/q2/616
Comment 1 Takashi Iwai 2016-06-29 09:45:05 UTC 
No extra action needed for this bug.  See bnc#986811.

No SLE releases have been affected by this.

SLE12-SP2 / openSUSE TW / Leap 42.2 have drivers with this API, but it was already fixed long time ago.
Comment 2 Takashi Iwai 2016-06-29 11:53:34 UTC 
Reassigned back to security team.  Feel free to close.
Comment 3 Swamp Workflow Management 2016-06-29 22:00:14 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2017-02-15 20:19:16 UTC 
SUSE-SU-2017:0471-1: An update that solves 34 vulnerabilities and has 48 fixes is now available.

Category: security (important)
Bug References: 1003153,1003925,1004462,1004517,1005666,1007197,1008833,1008979,1009969,1010040,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011820,1012422,1013038,1013531,1013540,1013542,1014746,1016482,1017410,1017589,1017710,1019300,1019851,1020602,1021258,881008,915183,958606,961257,970083,971989,976195,978094,980371,980560,981038,981597,981709,982282,982544,983619,983721,983977,984148,984419,984755,985978,986362,986365,986445,986569,986572,986811,986941,987542,987565,987576,989152,990384,991608,991665,993392,993890,993891,994296,994748,994881,995968,997708,998795,999584,999600,999932,999943
CVE References: CVE-2014-9904,CVE-2015-8956,CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-4470,CVE-2016-4998,CVE-2016-5696,CVE-2016-5828,CVE-2016-5829,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-8658,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.66.1
Comment 5 Marcus Meissner 2017-03-02 10:31:10 UTC 
released