Google Git
Sign in
gem5 / arm / linux / 5591bf07225523600450edd9e6ad258bb877b779
commit5591bf07225523600450edd9e6ad258bb877b779[log] [tgz]
authorDan Rosenberg <drosenberg@vsecurity.com>Tue Sep 28 14:18:20 2010 -0400
committerTakashi Iwai <tiwai@suse.de>Tue Sep 28 21:33:16 2010 +0200
treef886a48ec51861e74c79eca3052adeb9646d1534
parente68d3b316ab7b02a074edc4f770e6a746390cb7d [diff]
ALSA: prevent heap corruption in snd_ctl_new()

The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow.  If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk.  This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 file changed
tree: f886a48ec51861e74c79eca3052adeb9646d1534
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. MAINTAINERS
  28. Makefile
  29. README
  30. REPORTING-BUGS