| From stable-bounces@linux.kernel.org Mon Aug 4 17:20:12 2008 |
| From: Willy Tarreau <w@1wt.eu> |
| Date: Tue, 5 Aug 2008 00:20:03 GMT |
| Subject: sound: ensure device number is valid in snd_seq_oss_synth_make_info |
| To: jejb@kernel.org, stable@kernel.org |
| Message-ID: <200808050020.m750K3ii020082@hera.kernel.org> |
| |
| From: Willy Tarreau <w@1wt.eu> |
| |
| commit 82e68f7ffec3800425f2391c8c86277606860442 upstream |
| |
| snd_seq_oss_synth_make_info() incorrectly reports information |
| to userspace without first checking for the validity of the |
| device number, leading to possible information leak (CVE-2008-3272). |
| |
| Reported-By: Tobias Klein <tk@trapkit.de> |
| Acked-and-tested-by: Takashi Iwai <tiwai@suse.de> |
| Cc: stable@kernel.org |
| Signed-off-by: Willy Tarreau <w@1wt.eu> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| sound/core/seq/oss/seq_oss_synth.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/sound/core/seq/oss/seq_oss_synth.c |
| +++ b/sound/core/seq/oss/seq_oss_synth.c |
| @@ -604,6 +604,9 @@ snd_seq_oss_synth_make_info(struct seq_o |
| { |
| struct seq_oss_synth *rec; |
| |
| + if (dev < 0 || dev >= dp->max_synthdev) |
| + return -ENXIO; |
| + |
| if (dp->synths[dev].is_midi) { |
| struct midi_info minf; |
| snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf); |