Re: [PATCH] Prevent buffer overflow in OSS load_mixer_volumes

Re: [PATCH] Prevent buffer overflow in OSS load_mixer_volumes

[Takashi Iwai]

At Sat, 25 Dec 2010 16:23:40 -0500,
Dan Rosenberg wrote:
> 
> The load_mixer_volumes() function, which can be triggered by
> unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
> a buffer overflow.  Because the provided "name" argument isn't
> guaranteed to be NULL terminated at the expected 32 bytes, it's possible
> to overflow past the end of the last element in the mixer_vols array.
> Further exploitation can result in an arbitrary kernel write (via
> subsequent calls to load_mixer_volumes()) leading to privilege
> escalation, or arbitrary kernel reads via get_mixer_levels().  In
> addition, the strcmp() may leak bytes beyond the mixer_vols array.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable <stable@kernel.org>

Thanks, applied now to sound git tree.
I'll send a pull request to Linus today.


Takashi

> ---
>  sound/oss/soundcard.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
> index 46c0d03..fcb14a0 100644
> --- a/sound/oss/soundcard.c
> +++ b/sound/oss/soundcard.c
> @@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
>  	int             i, n;
>  
>  	for (i = 0; i < num_mixer_volumes; i++) {
> -		if (strcmp(name, mixer_vols[i].name) == 0) {
> +		if (strncmp(name, mixer_vols[i].name, 32) == 0) {
>  			if (present)
>  				mixer_vols[i].num = i;
>  			return mixer_vols[i].levels;
> @@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
>  	}
>  	n = num_mixer_volumes++;
>  
> -	strcpy(mixer_vols[n].name, name);
> +	strncpy(mixer_vols[n].name, name, 32);
>  
>  	if (present)
>  		mixer_vols[n].num = n;
> 
>