Problem Description:
The kernel driver for /dev/midistat implements a handler
for read(2). This handler is not thread-safe, and a
multi-threaded program can exploit races in the handler to
cause it to copy out kernel memory outside the boundaries
of midistat's data buffer.
Impact:
The races allow a program to read kernel memory within
a 4GB window centered at midistat's data buffer. The buffer
is allocated each time the device is opened, so an attacker
is not limited to a static 4GB region of memory.
On 32-bit platforms, an attempt to trigger the race may
cause a page fault in kernel mode, leading to a panic.