| From 5591bf07225523600450edd9e6ad258bb877b779 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Tue, 28 Sep 2010 14:18:20 -0400 |
| Subject: ALSA: prevent heap corruption in snd_ctl_new() |
| |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| |
| commit 5591bf07225523600450edd9e6ad258bb877b779 upstream. |
| |
| The snd_ctl_new() function in sound/core/control.c allocates space for a |
| snd_kcontrol struct by performing arithmetic operations on a |
| user-provided size without checking for integer overflow. If a user |
| provides a large enough size, an overflow will occur, the allocated |
| chunk will be too small, and a second user-influenced value will be |
| written repeatedly past the bounds of this chunk. This code is |
| reachable by unprivileged users who have permission to open |
| a /dev/snd/controlC* device (on many distros, this is group "audio") via |
| the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. |
| |
| Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| sound/core/control.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| --- a/sound/core/control.c |
| +++ b/sound/core/control.c |
| @@ -31,6 +31,7 @@ |
| |
| /* max number of user-defined controls */ |
| #define MAX_USER_CONTROLS 32 |
| +#define MAX_CONTROL_COUNT 1028 |
| |
| struct snd_kctl_ioctl { |
| struct list_head list; /* list of all ioctls */ |
| @@ -191,6 +192,10 @@ static struct snd_kcontrol *snd_ctl_new( |
| |
| if (snd_BUG_ON(!control || !control->count)) |
| return NULL; |
| + |
| + if (control->count > MAX_CONTROL_COUNT) |
| + return NULL; |
| + |
| kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL); |
| if (kctl == NULL) { |
| snd_printk(KERN_ERR "Cannot allocate control instance\n"); |
