The Linux kernel team has published a patch to fix a security issue that could enable an attacker to execute code with high privileges.
The flaw (CVE-2017-15265) exist in the ALSA (Advanced Linux Sound Architecture), which is a software framework included in the Linux kernel that gives an API for sound card drivers.
The issue takes place because the kernel ALSA code enabled an attacker to call a function, remove its output, but still use the output in a different function. This is called user-after-free vulnerability, which is a known attack vector, and a common memory management issue.
A successful exploit could enable the attacker to obtain elevated privileges on the targeted system.
According to the researchers :
“There is a potential race window opened at creating and deleting a port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates a port object and returns its pointer, but it doesn’t take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free”
The issue has been fixed in Linux kernel version 4.13.4-2, it was fixed just by taking the refcount correctly at “snd_seq_create_port()” and letting the caller unref the object after use.