CVE-2010-3442: ALSA: prevent heap corruption in snd_ctl_new()
This commit is contained in:
Chuck Ebbert
parent
2c7b199d8c
commit
fa44e9fd9f
|
|
@ -0,0 +1,46 @@
|
|||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Date: Tue, 28 Sep 2010 18:18:20 +0000 (-0400)
|
||||
Subject: ALSA: prevent heap corruption in snd_ctl_new()
|
||||
X-Git-Tag: v2.6.36-rc7~12^2~1
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftiwai%2Fsound-2.6.git;a=commitdiff_plain;h=5591bf07225523600450edd9e6ad258bb877b779
|
||||
|
||||
ALSA: prevent heap corruption in snd_ctl_new()
|
||||
|
||||
The snd_ctl_new() function in sound/core/control.c allocates space for a
|
||||
snd_kcontrol struct by performing arithmetic operations on a
|
||||
user-provided size without checking for integer overflow. If a user
|
||||
provides a large enough size, an overflow will occur, the allocated
|
||||
chunk will be too small, and a second user-influenced value will be
|
||||
written repeatedly past the bounds of this chunk. This code is
|
||||
reachable by unprivileged users who have permission to open
|
||||
a /dev/snd/controlC* device (on many distros, this is group "audio") via
|
||||
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
|
||||
|
||||
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Cc: <stable@kernel.org>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
|
||||
diff --git a/sound/core/control.c b/sound/core/control.c
|
||||
index 070aab4..45a8180 100644
|
||||
--- a/sound/core/control.c
|
||||
+++ b/sound/core/control.c
|
||||
@@ -31,6 +31,7 @@
|
||||
|
||||
/* max number of user-defined controls */
|
||||
#define MAX_USER_CONTROLS 32
|
||||
+#define MAX_CONTROL_COUNT 1028
|
||||
|
||||
struct snd_kctl_ioctl {
|
||||
struct list_head list; /* list of all ioctls */
|
||||
@@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
|
||||
|
||||
if (snd_BUG_ON(!control || !control->count))
|
||||
return NULL;
|
||||
+
|
||||
+ if (control->count > MAX_CONTROL_COUNT)
|
||||
+ return NULL;
|
||||
+
|
||||
kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
|
||||
if (kctl == NULL) {
|
||||
snd_printk(KERN_ERR "Cannot allocate control instance\n");
|
||||
|
|
@ -885,6 +885,8 @@ Patch13910: v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
|||
Patch13911: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
||||
# CVE-2010-3705
|
||||
Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
||||
# CVE-2010-3442
|
||||
Patch13913: alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
|
@ -1695,6 +1697,8 @@ ApplyPatch v4l1-fix-32-bit-compat-microcode-loading-translation.patch
|
|||
ApplyPatch kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
|
||||
# CVE-2010-3705
|
||||
ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
|
||||
# CVE-2010-3442
|
||||
ApplyPatch alsa-prevent-heap-corruption-in-snd_ctl_new.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
|
@ -2322,6 +2326,7 @@ fi
|
|||
- CVE-2010-2963: v4l: VIDIOCSMICROCODE arbitrary write
|
||||
- CVE-2010-3698: kvm: invalid selector in fs/gs causes kernel panic
|
||||
- CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
|
||||
- CVE-2010-3442: ALSA: prevent heap corruption in snd_ctl_new()
|
||||
|
||||
* Thu Dec 09 2010 Kyle McMartin <kyle@redhat.com>
|
||||
- ioat2-catch-and-recover-from-broken-vtd-configurations.patch: copy patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue