CVE-2018-10902

Published: Aug 21, 2018Modified: Nov 21, 2024

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.

Affected (13)

Products: Debian: Debian Linux · Canonical: Ubuntu Linux · Linux: Linux Kernel · +1 more

Show all products

Debian: Debian Linux · Canonical: Ubuntu Linux · Linux: Linux Kernel · Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation

1 product

1 product

1 product

3 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Linux Linux Kernel	All versions

Configuration D

6 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Workstation	Version 6.0
Redhat Enterprise Linux Workstation	Version 7.0

Related CWEs

CWE-415

Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

CWE-416

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (38)

http://www.securityfocus.com/bid/105119

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1041529

Source: secalert@redhat.com

PatchThird Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:3083

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3096

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0415

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:0641

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3217

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2019:3967

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10902

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=39675f7a7c7e7702f7d5341f1e0d01db746543a0

Source: secalert@redhat.com

PatchVendor Advisory

https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://usn.ubuntu.com/3776-1/

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3776-2/

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3847-1/

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3847-2/

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3847-3/

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3849-1/

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3849-2/

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2018/dsa-4308

Source: secalert@redhat.com

Third Party Advisory

http://www.securityfocus.com/bid/105119