Linux Kernel ALSA Timer ID Freeing Vulnerability

A vulnerability in the Linux kernel's ALSA timer handling has been addressed. The issue arose in the 'snd_utimer_create()' function, where an unallocated ID was improperly freed. If the 'kasprintf()' function returned NULL, the 'snd_utimer_put_id()' function would be called, leading to a call to 'ida_free()' to free ID 0, which had not been allocated. This problem was reported by syzkaller, indicating that 'ida_free' was called for an ID that was not allocated, causing a warning. The vulnerability was introduced in a previous commit that added virtual userspace-driven timers.

Impact

The vulnerability could lead to a warning being generated about an invalid 'ida_free' call, indicating a potential issue with ID management in the ALSA timer subsystem.

Reproduction

The vulnerability can be reproduced by creating a virtual userspace-driven timer using the ALSA timer interface. If the timer creation process encounters an error that causes the 'kasprintf()' function to return NULL, the 'snd_utimer_put_id()' function will be called to free the ID. However, since the ID was never allocated, this will result in a warning about freeing an invalid ID, indicating that the vulnerability has been triggered.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is '5003a65790ed66be882d1987cc2ca86af0de3db1', which is included in the latest Linux kernel releases.