{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49292", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:49:39.302Z", "datePublished": "2025-02-26T01:56:28.552Z", "dateUpdated": "2025-05-04T08:34:23.499Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:34:23.499Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: oss: Fix PCM OSS buffer allocation overflow\n\nWe've got syzbot reports hitting INT_MAX overflow at vmalloc()\nallocation that is called from snd_pcm_plug_alloc(). Although we\napply the restrictions to input parameters, it's based only on the\nhw_params of the underlying PCM device. Since the PCM OSS layer\nallocates a temporary buffer for the data conversion, the size may\nbecome unexpectedly large when more channels or higher rates is given;\nin the reported case, it went over INT_MAX, hence it hits WARN_ON().\n\nThis patch is an attempt to avoid such an overflow and an allocation\nfor too large buffers. First off, it adds the limit of 1MB as the\nupper bound for period bytes. This must be large enough for all use\ncases, and we really don't want to handle a larger temporary buffer\nthan this size. The size check is performed at two places, where the\noriginal period bytes is calculated and where the plugin buffer size\nis calculated.\n\nIn addition, the driver uses array_size() and array3_size() for\nmultiplications to catch overflows for the converted period size and\nbuffer bytes."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/core/oss/pcm_oss.c", "sound/core/oss/pcm_plugin.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "a63af1baf0a5e11827db60e3127f87e437cab6e5", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "0c4190b41a69990666b4000999e27f8f1b2a426b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "5ce74ff7059341d8b2f4d01c3383491df63d1898", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "7a40cbf3579a8e14849ba7ce46309c1992658d2b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "fb08bf99195a87c798bc8ae1357337a981faeade", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e74a069c6a7bb505f3ade141dddf85f4b0b5145a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "efb6402c3c4a7c26d97c92d70186424097b6e366", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["sound/core/oss/pcm_oss.c", "sound/core/oss/pcm_plugin.c"], "versions": [{"version": "4.19.237", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.188", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.109", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.32", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.18", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.1", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.188"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.109"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.32"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.16.18"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.17.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a63af1baf0a5e11827db60e3127f87e437cab6e5"}, {"url": "https://git.kernel.org/stable/c/0c4190b41a69990666b4000999e27f8f1b2a426b"}, {"url": "https://git.kernel.org/stable/c/5ce74ff7059341d8b2f4d01c3383491df63d1898"}, {"url": "https://git.kernel.org/stable/c/7a40cbf3579a8e14849ba7ce46309c1992658d2b"}, {"url": "https://git.kernel.org/stable/c/fb08bf99195a87c798bc8ae1357337a981faeade"}, {"url": "https://git.kernel.org/stable/c/e74a069c6a7bb505f3ade141dddf85f4b0b5145a"}, {"url": "https://git.kernel.org/stable/c/efb6402c3c4a7c26d97c92d70186424097b6e366"}], "title": "ALSA: oss: Fix PCM OSS buffer allocation overflow", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: oss: Fix PCM OSS buffer allocation overflow\n\nWe've got syzbot reports hitting INT_MAX overflow at vmalloc()\nallocation that is called from snd_pcm_plug_alloc(). Although we\napply the restrictions to input parameters, it's based only on the\nhw_params of the underlying PCM device. Since the PCM OSS layer\nallocates a temporary buffer for the data conversion, the size may\nbecome unexpectedly large when more channels or higher rates is given;\nin the reported case, it went over INT_MAX, hence it hits WARN_ON().\n\nThis patch is an attempt to avoid such an overflow and an allocation\nfor too large buffers. First off, it adds the limit of 1MB as the\nupper bound for period bytes. This must be large enough for all use\ncases, and we really don't want to handle a larger temporary buffer\nthan this size. The size check is performed at two places, where the\noriginal period bytes is calculated and where the plugin buffer size\nis calculated.\n\nIn addition, the driver uses array_size() and array3_size() for\nmultiplications to catch overflows for the converted period size and\nbuffer bytes."}], "id": "CVE-2022-49292", "lastModified": "2025-02-26T07:01:06.047", "metrics": {}, "published": "2025-02-26T07:01:06.047", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0c4190b41a69990666b4000999e27f8f1b2a426b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5ce74ff7059341d8b2f4d01c3383491df63d1898"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7a40cbf3579a8e14849ba7ce46309c1992658d2b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a63af1baf0a5e11827db60e3127f87e437cab6e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e74a069c6a7bb505f3ade141dddf85f4b0b5145a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/efb6402c3c4a7c26d97c92d70186424097b6e366"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fb08bf99195a87c798bc8ae1357337a981faeade"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: ALSA: oss: Fix PCM OSS buffer allocation overflow", "id": "2348302", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348302"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nALSA: oss: Fix PCM OSS buffer allocation overflow\nWe've got syzbot reports hitting INT_MAX overflow at vmalloc()\nallocation that is called from snd_pcm_plug_alloc(). Although we\napply the restrictions to input parameters, it's based only on the\nhw_params of the underlying PCM device. Since the PCM OSS layer\nallocates a temporary buffer for the data conversion, the size may\nbecome unexpectedly large when more channels or higher rates is given;\nin the reported case, it went over INT_MAX, hence it hits WARN_ON().\nThis patch is an attempt to avoid such an overflow and an allocation\nfor too large buffers. First off, it adds the limit of 1MB as the\nupper bound for period bytes. This must be large enough for all use\ncases, and we really don't want to handle a larger temporary buffer\nthan this size. The size check is performed at two places, where the\noriginal period bytes is calculated and where the plugin buffer size\nis calculated.\nIn addition, the driver uses array_size() and array3_size() for\nmultiplications to catch overflows for the converted period size and\nbuffer bytes."], "name": "CVE-2022-49292", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49292\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49292\nhttps://lore.kernel.org/linux-cve-announce/2025022633-CVE-2022-49292-b60c@gregkh/T"], "threat_severity": "Low"}