From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Lars-Peter Clausen <lars@metafoo.de>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.de>,
Willy Tarreau <w@1wt.eu>
Subject: [ 08/48] ALSA: control: Handle numid overflow
Date: Sun, 16 Nov 2014 22:53:36 +0100 [thread overview]
Message-ID: <20141116215328.979301376@1wt.eu> (raw)
In-Reply-To: <28c765bc23bd4bae1611534e510f49f8@local>
2.6.32-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
Each control gets automatically assigned its numids when the control is created.
The allocation is done by incrementing the numid by the amount of allocated
numids per allocation. This means that excessive creation and destruction of
controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
eventually overflow. Currently when this happens for the control that caused the
overflow kctl->id.numid + kctl->count will also over flow causing it to be
smaller than kctl->id.numid. Most of the code assumes that this is something
that can not happen, so we need to make sure that it won't happen
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit ac902c112d90a89e59916f751c2745f4dbdbb4bd)
[wt: part 2 of CVE-2014-4656]
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
sound/core/control.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/core/control.c b/sound/core/control.c
index 80bb3ed..d7f4644 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -278,6 +278,10 @@ static unsigned int snd_ctl_hole_check(struct snd_card *card,
{
struct snd_kcontrol *kctl;
+ /* Make sure that the ids assigned to the control do not wrap around */
+ if (card->last_numid >= UINT_MAX - count)
+ card->last_numid = 0;
+
list_for_each_entry(kctl, &card->controls, list) {
if ((kctl->id.numid <= card->last_numid &&
kctl->id.numid + kctl->count > card->last_numid) ||
--
1.7.12.2.21.g234cd45.dirty
next prev parent reply other threads:[~2014-11-16 22:13 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <28c765bc23bd4bae1611534e510f49f8@local>
2014-11-16 21:53 ` [ 00/48] 2.6.32.64-longterm review Willy Tarreau
2014-11-16 21:53 ` [ 01/48] x86_32, entry: Do syscall exit work on badsys Willy Tarreau
2014-11-16 21:53 ` [ 02/48] x86_32, entry: Store badsys error code in %eax Willy Tarreau
2014-11-16 21:53 ` [ 03/48] x86_32, entry: Clean up sysenter_badsys declaration Willy Tarreau
2014-11-16 21:53 ` [ 04/48] MIPS: Cleanup flags in syscall flags handlers Willy Tarreau
2014-11-16 21:53 ` [ 05/48] MIPS: asm: thread_info: Add _TIF_SECCOMP flag Willy Tarreau
2014-11-16 21:53 ` [ 06/48] fix autofs/afs/etc. magic mountpoint breakage Willy Tarreau
2014-11-16 21:53 ` [ 07/48] ALSA: control: Make sure that id->index does not Willy Tarreau
2014-11-16 21:53 ` Willy Tarreau [this message]
2014-11-16 21:53 ` [ 09/48] sctp: Fix sk_ack_backlog wrap-around problem Willy Tarreau
2014-11-16 21:53 ` [ 10/48] mm: try_to_unmap_cluster() should lock_page() before Willy Tarreau
2014-11-16 21:53 ` [ 11/48] filter: prevent nla extensions to peek beyond the end Willy Tarreau
2014-11-16 21:53 ` [ 12/48] ALSA: control: Protect user controls against Willy Tarreau
2014-11-16 21:53 ` [ 13/48] ptrace,x86: force IRET path after a ptrace_stop() Willy Tarreau
2014-11-16 21:53 ` [ 14/48] sym53c8xx_2: Set DID_REQUEUE return code when aborting Willy Tarreau
2014-11-16 21:53 ` [ 15/48] tcp: fix tcp_match_skb_to_sack() for unaligned SACK at Willy Tarreau
2014-11-16 21:53 ` [ 16/48] igmp: fix the problem when mc leave group Willy Tarreau
2014-11-16 21:53 ` [ 17/48] appletalk: Fix socket referencing in skb Willy Tarreau
2014-11-16 21:53 ` [ 18/48] net: sctp: fix information leaks in ulpevent layer Willy Tarreau
2014-11-16 21:53 ` [ 19/48] sunvnet: clean up objects created in vnet_new() on Willy Tarreau
2014-11-16 21:53 ` [ 20/48] ipv4: fix buffer overflow in ip_options_compile() Willy Tarreau
2014-11-16 21:53 ` [ 21/48] net: sctp: inherit auth_capable on INIT collisions Willy Tarreau
2014-11-16 21:53 ` [ 22/48] net: sendmsg: fix NULL pointer dereference Willy Tarreau
2014-12-01 11:45 ` Luis Henriques
2014-12-01 12:30 ` Willy Tarreau
2014-11-16 21:53 ` [ 23/48] tcp: Fix integer-overflows in TCP veno Willy Tarreau
2014-11-16 21:53 ` [ 24/48] tcp: Fix integer-overflow in TCP vegas Willy Tarreau
2014-11-16 21:53 ` [ 25/48] macvlan: Initialize vlan_features to turn on offload Willy Tarreau
2014-11-16 21:53 ` [ 26/48] net: Correctly set segment mac_len in skb_segment() Willy Tarreau
2014-11-16 21:53 ` [ 27/48] iovec: make sure the caller actually wants anything in Willy Tarreau
2014-11-16 21:53 ` [ 28/48] sctp: fix possible seqlock seadlock in Willy Tarreau
2014-11-16 21:53 ` [ 29/48] Revert "nfsd: correctly handle return value from Willy Tarreau
2014-11-16 21:53 ` [ 30/48] dm crypt: fix access beyond the end of allocated space Willy Tarreau
2014-11-16 21:53 ` [ 31/48] gianfar: disable vlan tag insertion by default Willy Tarreau
2014-11-16 21:54 ` [ 32/48] USB: kobil_sct: fix non-atomic allocation in write Willy Tarreau
2014-11-16 21:54 ` [ 33/48] fix misuses of f_count() in ppp and netlink Willy Tarreau
2014-11-16 21:54 ` [ 34/48] net: sctp: fix skb_over_panic when receiving malformed Willy Tarreau
2014-11-16 21:54 ` [ 35/48] tty: Fix high cpu load if tty is unreleaseable Willy Tarreau
2014-11-16 21:54 ` [ 36/48] netfilter: nf_log: account for size of NLMSG_DONE Willy Tarreau
2014-11-16 21:54 ` [ 37/48] netfilter: nfnetlink_log: fix maximum packet length Willy Tarreau
2014-11-16 21:54 ` [ 38/48] ring-buffer: Always reset iterator to reader page Willy Tarreau
2014-11-16 21:54 ` [ 39/48] md/raid6: avoid data corruption during recovery of Willy Tarreau
2014-11-16 21:54 ` [ 40/48] net: pppoe: use correct channel MTU when using Willy Tarreau
2014-11-16 21:54 ` [ 41/48] ARM: 7668/1: fix memset-related crashes caused by Willy Tarreau
2014-11-16 21:54 ` [ 42/48] ARM: 7670/1: fix the memset fix Willy Tarreau
2014-11-16 21:54 ` [ 43/48] lib/lzo: Update LZO compression to current upstream Willy Tarreau
2014-11-16 21:54 ` [ 44/48] Documentation: lzo: document part of the encoding Willy Tarreau
2014-11-16 21:54 ` [ 45/48] lzo: check for length overrun in variable length Willy Tarreau
2014-11-16 21:54 ` [ 46/48] USB: add new zte 3g-dongles pid to option.c Willy Tarreau
2014-11-16 21:54 ` [ 47/48] futex: Unlock hb->lock in futex_wait_requeue_pi() Willy Tarreau
2014-11-16 21:54 ` [ 48/48] isofs: Fix unbounded recursion when processing Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141116215328.979301376@1wt.eu \
--to=w@1wt.eu \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox