OpenCloudOS-Kernel/sound/core
Dan Rosenberg 5591bf0722 ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow.  If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk.  This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-09-28 21:33:16 +02:00
..
oss ALSA: core - Define llseek fops 2010-04-13 12:01:21 +02:00
seq ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() 2010-09-08 10:45:34 +02:00
Kconfig ALSA: sound/core/pcm_timer.c: use lib/gcd.c 2009-12-22 08:24:35 +01:00
Makefile ALSA: Fix SG-buffer DMA with non-coherent architectures 2009-07-08 14:20:20 +02:00
control.c ALSA: prevent heap corruption in snd_ctl_new() 2010-09-28 21:33:16 +02:00
control_compat.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
device.c ALSA: Print function symbol in the error messages 2008-10-16 16:17:30 +02:00
hrtimer.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hwdep.c ALSA: hwdep - Make open callback optional 2009-02-05 09:10:20 +01:00
hwdep_compat.c [PATCH] hwdep_compat missed __user annotations 2006-10-10 15:37:21 -07:00
info.c ALSA: info - Implement common llseek for binary mode 2010-04-13 12:01:20 +02:00
info_oss.c ALSA: Kill snd_assert() in sound/core/* 2008-08-13 11:46:35 +02:00
init.c ALSA: Remove struct snd_monitor_file from public sound/core.h 2009-09-07 15:50:18 +02:00
isadma.c ALSA: snd_dma_pointer workaround for chipsets with buggy DMA 2009-10-11 18:03:13 +02:00
jack.c Merge branch 'topic/jack' into for-linus 2010-05-20 11:59:37 +02:00
memalloc.c ALSA: Fix SG-buffer DMA with non-coherent architectures 2009-07-08 14:20:20 +02:00
memory.c [ALSA] Remove sound/driver.h 2008-01-31 17:29:48 +01:00
misc.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm.c ALSA: pcm - Fix race with proc files 2010-09-16 23:06:50 +02:00
pcm_compat.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm_lib.c ALSA: pcm core - add a safe check to the silence filling function 2010-07-19 16:47:01 +02:00
pcm_memory.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm_misc.c ALSA: pcm: Define G723 3-bit and 5-bit formats 2010-05-31 09:10:03 +02:00
pcm_native.c ALSA: pcm - Fix unbalanced pm_qos_request 2010-09-16 23:04:38 +02:00
pcm_timer.c ALSA: sound/core/pcm_timer.c: use lib/gcd.c 2009-12-22 08:24:35 +01:00
rawmidi.c ALSA: rawmidi: fix the get next midi device ioctl 2010-09-09 09:05:21 +02:00
rawmidi_compat.c [ALSA] Remove xxx_t typedefs: Raw MIDI 2006-01-03 12:17:35 +01:00
rtctimer.c ALSA: hda - Convert from takslet_hi_schedule() to tasklet_schedule() 2008-12-18 12:17:55 +01:00
sgbuf.c ALSA: Fix vunmap and free order in snd_free_sgbuf_pages() 2009-03-18 08:04:01 +01:00
sound.c ALSA: Remove BKL from open multiplexer 2010-04-09 10:28:36 +02:00
sound_oss.c ALSA: Remove warning message for invalid OSS minor ranges 2010-01-18 14:18:55 +01:00
timer.c Merge branch 'topic/core-cleanup' into for-linus 2010-05-20 11:58:57 +02:00
timer_compat.c ALSA: Kill snd_assert() in sound/core/* 2008-08-13 11:46:35 +02:00
vmaster.c ALSA: Add new TLV types for dBwith min/max 2009-06-17 10:56:53 +02:00