From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-Id: <20141116215328.938477028@1wt.eu> Date: Sun, 16 Nov 2014 22:53:35 +0100 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Lars-Peter Clausen , Jaroslav Kysela , Takashi Iwai , Willy Tarreau Subject: [ 07/48] ALSA: control: Make sure that id->index does not In-Reply-To: <28c765bc23bd4bae1611534e510f49f8@local> Sender: linux-kernel-owner@vger.kernel.org List-ID: 2.6.32-longterm review patch. If anyone has any objections, please let me know. ------------------ overflow From: Lars-Peter Clausen The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Cc: Signed-off-by: Takashi Iwai (cherry picked from commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e) [wt: part 1 of CVE-2014-4656 fix] Signed-off-by: Willy Tarreau --- sound/core/control.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sound/core/control.c b/sound/core/control.c index 7834a54..80bb3ed 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -328,6 +328,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) if (snd_BUG_ON(!card || !kcontrol->info)) goto error; id = kcontrol->id; + if (id.index > UINT_MAX - kcontrol->count) + goto error; + down_write(&card->controls_rwsem); if (snd_ctl_find_id(card, &id)) { up_write(&card->controls_rwsem); -- 1.7.12.2.21.g234cd45.dirty