From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Jaroslav Kysela" , "Takashi Iwai" , "Lars-Peter Clausen" Date: Tue, 08 Jul 2014 20:01:50 +0100 Message-ID: Subject: [PATCH 3.2 087/125] ALSA: control: Make sure that id->index does not overflow In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.2.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Lars-Peter Clausen commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream. The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. Signed-off-by: Lars-Peter Clausen Acked-by: Jaroslav Kysela Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/core/control.c | 3 +++ 1 file changed, 3 insertions(+) --- a/sound/core/control.c +++ b/sound/core/control.c @@ -341,6 +341,9 @@ int snd_ctl_add(struct snd_card *card, s if (snd_BUG_ON(!card || !kcontrol->info)) goto error; id = kcontrol->id; + if (id.index > UINT_MAX - kcontrol->count) + goto error; + down_write(&card->controls_rwsem); if (snd_ctl_find_id(card, &id)) { up_write(&card->controls_rwsem);