Linux系统的ALSA声卡驱动发现了存在漏洞,本地攻击者可能利用此漏洞获取内核内存中的敏感信息。受影响的有 Linux Kernel : 2.6.22.8 。
Linux Kernel 在处理多个/proc/driver/snd-page-alloc 文件的读操作时候,发现了存在安全漏洞,sound/core/memalloc.c 在文件中如下解读操作的系统调用 snd_mem_proc_read:
51 static ssize_t
52 proc_file_read(struct file *file, char __user *buf, size_t nbytes,
53 loff_t *ppos)
54 {
...
136 n = dp->read_proc(page, &start, *ppos,
137 count, &eof, dp->data);
...
155 n -= *ppos;
156 if (n <= 0)
157 break;
158 if (n > count)
159 n = count;
160 start = page + *ppos;
...
186 n -= copy_to_user(buf, start < page ? page : start, n);
...
193 *ppos += start < page ? (unsigned long)start : n;
在第 136 行从对 snd_proc_mem_read 函数的调用返回了值
n。由于返回值(在单个设备的情况下大约为41)大于所请求的读大小(1),在158行里
n 值被设置为count,之后*ppos 递增,从start(计算为page + *ppos)将
n 字节拷贝到了用户域。
在之后的用户域读操作中,如果*ppos大于0的话,proc_file_read函数就会拷贝过snd_mem_proc_read写入的页面,导致泄露内核内存。
文章来源:http://secunia.com/advisories/26918/
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.
The vulnerability is caused due to an error within the "snd_mem_proc_read()" function in sound/core/memalloc.c when handling multiple reads from the "/proc/driver/snd-page-alloc" file, which can be exploited to disclose certain kernel memory.
The vulnerability is reported in versions prior to 2.6.22.8.
Solution:
Update to version 2.6.22.8.
Provided and/or discovered by:
Discovered by Neil Kettle (mu-b) of
www.digit-labs.org and reported via iDefense Labs.
建议临时解决方法:
1) 卸载snd_page_alloc模块
2) 修改/etc/fstab中的加载参数限制对/proc文件系统的访问
下载补丁:
目前厂商已经发布了升级补丁以修复这个安全问题,请到以下的网站下载:
http://kernel.org/pub/linux/kernel/v...6.22.8.tar.bz2
2007-12-19, 12:02 PM
Linux 内核: ALSA声卡驱动信息泄露漏洞
平板模式
