CVE-2022-48702

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-48702

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48702.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-48702

Related

Published

2024-05-03T16:15:08Z

Modified

2024-09-18T03:18:07.131036Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: emu10k1: Fix out of bounds access in sndemu10k1pcmchannelalloc()

The voice allocator sometimes begins allocating from near the end of the array and then wraps around, however sndemu10k1pcmchannelalloc() accesses the newly allocated voices as if it never wrapped around.

This results in out of bounds access if the first voice has a high enough index so that firstvoice + requestedvoicecount > NUMG (64). The more voices are requested, the more likely it is for this to occur.

This was initially discovered using PipeWire, however it can be reproduced by calling aplay multiple times with 16 channels: aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero

UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40 index 65 is out of range for type 'sndemu10k1voice [64]' CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7 Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010 Call Trace: <TASK> dumpstacklvl+0x49/0x63 dumpstack+0x10/0x16 ubsanepilogue+0x9/0x3f _ubsanhandleoutofbounds.cold+0x44/0x49 sndemu10k1playbackhwparams+0x3bc/0x420 [sndemu10k1] sndpcmhwparams+0x29f/0x600 [sndpcm] sndpcmcommonioctl+0x188/0x1410 [sndpcm] ? exittousermodeprepare+0x35/0x170 ? dosyscall64+0x69/0x90 ? syscallexittousermode+0x26/0x50 ? dosyscall64+0x69/0x90 ? exittousermodeprepare+0x35/0x170 sndpcmioctl+0x27/0x40 [sndpcm] _x64sysioctl+0x95/0xd0 dosyscall64+0x5c/0x90 ? dosyscall64+0x69/0x90 ? dosyscall64+0x69/0x90 entrySYSCALL64afterhwframe+0x63/0xcd

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.148-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}