[Bug 1549200] Re: CVE-2016-2549

Thu, 05 May 2016 17:46:01 -0700 

** Changed in: linux-snapdragon (Ubuntu Precise)
       Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Precise)
   Importance: Undecided => Medium

** Changed in: linux-snapdragon (Ubuntu Wily)
       Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Wily)
   Importance: Undecided => Medium

** Changed in: linux-snapdragon (Ubuntu Xenial)
       Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: linux-snapdragon (Ubuntu Yakkety)
       Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Yakkety)
   Importance: Undecided => Medium

** Changed in: linux-snapdragon (Ubuntu Trusty)
       Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Trusty)
   Importance: Undecided => Medium

** Description changed:

- hrtimer_cancel() waits for the completion from the callback, thus it
- must not be called inside the callback itself. This was already a
- problem in the past with ALSA hrtimer driver, and the early commit
- [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
- However, the previous fix is still insufficient: it may still cause a
- lockup when the ALSA timer instance reprograms itself in its callback.
- Then it invokes the start function even in snd_timer_interrupt() that is
- called in hrtimer callback itself, results in a CPU stall. This is no
- hypothetical problem but actually triggered by syzkaller fuzzer.
+ sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent
+ recursive callback access, which allows local users to cause a denial of
+ service (deadlock) via a crafted ioctl call. However, the previous fix
+ is still insufficient: it may still cause a lockup when the ALSA timer
+ instance reprograms itself in its callback. Then it invokes the start
+ function even in snd_timer_interrupt() that is called in hrtimer
+ callback itself, results in a CPU stall. This is no hypothetical problem
+ but actually triggered by syzkaller fuzzer.
  
  Break-Fix: - 2ba1fe7a06d3624f9a7586d672b55f08f7c670f3

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1549200

Title:
  CVE-2016-2549

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1549200/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to