From: Takashi Iwai <tiwai@suse.de>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: security@kernel.org, alsa-devel@alsa-project.org
Subject: Re: [PATCH] Prevent buffer overflow in OSS load_mixer_volumes
Date: Sun, 02 Jan 2011 11:13:49 +0100 [thread overview]
Message-ID: <s5h1v4vmx42.wl%tiwai@suse.de> (raw)
In-Reply-To: <1293312220.9764.35.camel@Dan>
At Sat, 25 Dec 2010 16:23:40 -0500,
Dan Rosenberg wrote:
>
> The load_mixer_volumes() function, which can be triggered by
> unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
> a buffer overflow. Because the provided "name" argument isn't
> guaranteed to be NULL terminated at the expected 32 bytes, it's possible
> to overflow past the end of the last element in the mixer_vols array.
> Further exploitation can result in an arbitrary kernel write (via
> subsequent calls to load_mixer_volumes()) leading to privilege
> escalation, or arbitrary kernel reads via get_mixer_levels(). In
> addition, the strcmp() may leak bytes beyond the mixer_vols array.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable <stable@kernel.org>
Thanks, applied now to sound git tree.
I'll send a pull request to Linus today.
Takashi
> ---
> sound/oss/soundcard.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
> index 46c0d03..fcb14a0 100644
> --- a/sound/oss/soundcard.c
> +++ b/sound/oss/soundcard.c
> @@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
> int i, n;
>
> for (i = 0; i < num_mixer_volumes; i++) {
> - if (strcmp(name, mixer_vols[i].name) == 0) {
> + if (strncmp(name, mixer_vols[i].name, 32) == 0) {
> if (present)
> mixer_vols[i].num = i;
> return mixer_vols[i].levels;
> @@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
> }
> n = num_mixer_volumes++;
>
> - strcpy(mixer_vols[n].name, name);
> + strncpy(mixer_vols[n].name, name, 32);
>
> if (present)
> mixer_vols[n].num = n;
>
>
parent reply other threads:[~2011-01-02 10:13 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <1293312220.9764.35.camel@Dan>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s5h1v4vmx42.wl%tiwai@suse.de \
--to=tiwai@suse.de \
--cc=alsa-devel@alsa-project.org \
--cc=drosenberg@vsecurity.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).