Pardus: Alsa: Denial of Service
Posted by Benjamin D. Thomas   
A vulnerability has been fixed in Kernel, which can be exploited by malicious people to crash kernel due to divide by zero in azx_position_ok

------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-36            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-02-25
  Severity: 3
      Type: Local
------------------------------------------------------------------------

Summary
=======

A vulnerability has been fixed in Kernel, which  can  be  exploited  by 
malicious  people to  crash  kernel  due  to   divide   by   zero   in  
azx_position_ok 


Description
===========

Using mp3blaster-3.2.5 (latest version) to play MP3 audio, the reporter 
was able to crash the kernel by stopping and restarting playback  using 
the "5" key 

repeatedly. This happens as a normal user, not  only  as  root.  Kernel 
backtrace points to azx_position_ok() dividing by zero, so he  wrote  a 
tiny patch to 

investigate  which reported   via   printk()   values   of   pos   and  
azx_dev->period_bytes; on crash, both were 0. The  offending  operation 
does: if (pos % azx_dev->period_bytes > azx_dev->period_bytes / 2) which
obviously is the source of the crash. 


Affected packages:

  Pardus 2009:
    module-alsa-driver, all before 1.0.22_20100222-57-33
    module-pae-alsa-driver, all before 1.0.22_20100222-57-15



Resolution
==========

There are update(s) for module-alsa-driver, module-pae-alsa-driver. You 
can update them via Package Manager  or  with  a  single  command  from 
console: 

    pisi up module-alsa-driver module-pae-alsa-driver

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=12341
  * https://bugzilla.redhat.com/show_bug.cgi?id=567168
  * http://lkml.org/lkml/2010/2/6/40