Bug#563192: libportaudio.so.2 overrides the libasound2 error handler

Max Kellermann max at duempel.org
Thu Dec 31 17:54:53 UTC 2009 

Package: libportaudio2
Version: 19+svn20071022-3
Severity: grave

Upon initialization. libportaudio2 (function PaAlsa_Initialize()) sets
a new global libasound2 error handler by invoking
snd_lib_error_set_handler().  It is bad style for a library to do
this, because this may overwrite the application's custom error
handler.

Now the real critical problem: when loaded with OpenAL (libopenal1
1:1.10.622-1 in this case), libportaudio2 sets the error handler, but
gets unloaded later, rendering the memory address of
AlsaErrorHandler() invalid.  This results in a crash of the
application on the next ALSA error.

(I have submitted this bug for libportaudio2 instead of libopenal1,
because I think libportaudio2 is really doing the wrong thing by
overwriting another library's global variable; you could argue that
unloading the library is wrong in the first place)

Practical example: the Music Player Daemon, which has plugins for
OpenAL as well as for native ALSA.  Here is a crash backtrace:


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe2ab6910 (LWP 31128)]
0x00007ffff7e73d08 in ?? ()
(gdb) bt
#0  0x00007ffff7e73d08 in ?? ()
#1  0x00007ffff23fb9a6 in snd_pcm_hw_open (pcmp=0x513178, name=0x5130d0 "hw:0", card=0, device=0, subdevice=-1, 
    stream=SND_PCM_STREAM_PLAYBACK, mode=327681, mmap_emulation=0, sync_ptr_ioctl=0) at pcm_hw.c:1325
#2  0x00007ffff23fc05e in _snd_pcm_hw_open (pcmp=0x513178, name=0x5130d0 "hw:0", root=0x538960, conf=0x55e290, 
    stream=SND_PCM_STREAM_PLAYBACK, mode=327680) at pcm_hw.c:1505
#3  0x00007ffff23ea527 in snd_pcm_open_conf (pcmp=0x513178, name=0x5130d0 "hw:0", pcm_root=0x538960, pcm_conf=0x55e290, 
    stream=SND_PCM_STREAM_PLAYBACK, mode=327680) at pcm.c:2181
#4  0x00007ffff23ea6aa in snd_pcm_open_noupdate (pcmp=0x513178, root=0x538960, name=0x5130d0 "hw:0", 
    stream=SND_PCM_STREAM_PLAYBACK, mode=327680, hop=0) at pcm.c:2219
#5  0x00007ffff23ea740 in snd_pcm_open (pcmp=0x513178, name=0x5130d0 "hw:0", stream=SND_PCM_STREAM_PLAYBACK, mode=327680)
    at pcm.c:2241
#6  0x000000000042b34a in alsa_open (data=0x513160, audio_format=0x512d20, error=0x7fffe2ab6008)
    at /home/max/git/mpd/src/output/alsa_plugin.c:471
#7  0x0000000000428153 in ao_plugin_open (plugin=0x4678c0, data=0x513160, audio_format=0x512d20, error=0x7fffe2ab6008)
    at /home/max/git/mpd/src/output_plugin.h:196
[...]


Severity "grave" because this allows an attacker to make MPD crash
remotely.  It might also be possible to inject and execute code this
way, if the address happens to be memory mapped later.

More information about the Pkg-voip-maintainers mailing list