Possible crash due to sprintf overrun in snd_pcm_hw_open

Bug #668487 reported by David Henningsson on 2010-10-29
This bug affects 1 person
Affects Status Importance Assigned to Milestone
alsa-lib (Ubuntu)

Bug Description

I'm not sure if this is a serious security issue, a theoretical one, or not a security issue at all (just a bug).

Anyway, in src/pcm/pcm_hw.c, there is a function snd_pcm_hw_open. The filename array is not large enough to fit if the "card" and "device" variables are being called with values so large that nobody but an attacker would use them.
At least this is relevant on amd64, and maybe on i386 as well, if the number is a large negative number.

The obivous fix as I see it would be to change sprintf to snprintf.

Here's the relevant code quoted:

 int snd_pcm_hw_open(snd_pcm_t **pcmp, const char *name,
      int card, int device, int subdevice,
      snd_pcm_stream_t stream, int mode,
      int mmap_emulation, int sync_ptr_ioctl)
 char filename[sizeof(SNDRV_FILE_PCM_STREAM_PLAYBACK) + 20];
 const char *filefmt;
/* .... */
 switch (stream) {
  SNDERR("invalid stream %d", stream);
  return -EINVAL;
 sprintf(filename, filefmt, card, device);

Changed in alsa-lib (Ubuntu):
assignee: nobody → Kees Cook (kees)
status: New → Confirmed
Kees Cook (kees) wrote :

Are there any programs running with higher privs that will take an audio device as input? Regardless, since Intrepid, alsa-lib is compiled with -D_FORITFY_SOURCE=2 which will automatically convert all the sprintf() calls to snprintf().

security vulnerability: yes → no
visibility: private → public
summary: - Possible sprintf overrun in snd_pcm_hw_open
+ Possible crash due to sprintf overrun in snd_pcm_hw_open
Changed in alsa-lib (Ubuntu):
assignee: Kees Cook (kees) → nobody
David Henningsson (diwic) wrote :

1) what about Hardy? AFAIK it's been in there for a long time and we still support it?
2) what about other Linux distros that perhaps do not compile with -D_FORTIFY_SOURCE=2 ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers