Allele Security Alert
ASA-2018-00068
Identifier(s)
ASA-2018-00068, CVE-2018-19824
Title
Use-after-free in usb_audio_probe()
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 4.20
Linux kernel versions before 4.9.145
Linux kernel versions before 4.19.9
Linux kernel versions before 4.14.88
Linux kernel versions before 4.4.167
Linux kernel versions before 3.16.63
Fixed version(s)
Linux kernel version 4.20
Linux kernel version 4.9.145
Linux kernel version 4.19.9
Linux kernel version 4.14.88
Linux kernel version 4.4.167
Linux kernel version 3.16.63
Proof of concept
Unknown
Description
There is a use-after-free vulnerability in usb_audio_probe(). This function accesses a freed object when decrementing its reference counter. The attacker needs local access to plug in a malicious USB device in order to exploit the vulnerability.
Technical details
If a USB sound card reports 0 interface, an error condition is triggered and the function usb_audio_probe() errors out. In the error path, there was a use-after-free vulnerability where the memory object of the card was first freed, followed by a decrement of the number of active chips.
File: sound/usb/card.c --- __error: if (chip) { + /* chip->active is inside the chip->card object, + * decrement before memory is possibly returned. + */ + atomic_dec(&chip->active); if (!chip->num_interfaces) snd_card_free(chip->card); - atomic_dec(&chip->active); } mutex_unlock(®ister_mutex); return err; ---
Credits
Mathias Payer
Reference(s)
UAF write in usb_audio_probe
https://seclists.org/oss-sec/2018/q4/197
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
https://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git/commit/?id=5f8cf712582617d523120df67d392059eaf2fc4b
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
https://github.com/torvalds/linux/commit/5f8cf712582617d523120df67d392059eaf2fc4b
ChangeLog-4.9.145
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.145
ChangeLog-4.19.9
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.9
ChangeLog-4.14.88
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.88
ChangeLog-4.4.167
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.167
ChangeLog-3.16.63
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.63
ChangeLog-4.20
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20
CVE-2018-19824 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-19824
CVE-2018-19824 | SUSE
https://www.suse.com/security/cve/CVE-2018-19824
CVE-2018-19824
https://security-tracker.debian.org/tracker/CVE-2018-19824
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-19824.html
CVE-2018-19824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19824
CVE-2018-19824
https://nvd.nist.gov/vuln/detail/CVE-2018-19824
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 10, 2019