linux/sound
Dan Rosenberg 5591bf0722 ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow.  If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk.  This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-09-28 21:33:16 +02:00
..
aoa of/device: Replace struct of_device with struct platform_device 2010-08-06 09:25:50 -06:00
arm Merge remote branch 'alsa/devel' into topic/misc 2010-04-16 15:20:06 +02:00
atmel ALSA: atmel: set "channel A event" output to debug 2010-06-08 16:42:02 +02:00
core ALSA: prevent heap corruption in snd_ctl_new() 2010-09-28 21:33:16 +02:00
drivers Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 2010-08-07 17:07:31 -07:00
i2c Merge remote branch 'alsa/devel' into topic/misc 2010-04-16 15:20:06 +02:00
isa ALSA: msnd-classic: Fix invalid cfg parameter 2010-09-08 09:58:12 +02:00
mips sound: Add missing spin_unlock 2010-05-27 09:47:02 +02:00
oss sound: oss: fix uninitialized spinlock 2010-08-28 11:57:54 +02:00
parisc ALSA: sound/parisc: Move dereference after NULL test 2009-10-30 12:01:38 +01:00
pci ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory 2010-09-25 17:46:22 +02:00
pcmcia pcmcia: do not use io_req_t when calling pcmcia_request_io() 2010-08-03 09:04:11 +02:00
ppc sound: Remove pr_<level> uses of KERN_<level> 2010-09-13 23:40:29 +02:00
sh include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
soc sound: Remove pr_<level> uses of KERN_<level> 2010-09-13 23:40:29 +02:00
sparc of/device: Replace struct of_device with struct platform_device 2010-08-06 09:25:50 -06:00
spi ALSA: sound/spi: patch for the unuseful variable removal 2010-06-08 16:51:27 +02:00
synth include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
usb ALSA: usb - Release capture substream URBs properly 2010-09-08 08:27:02 +02:00
ac97_bus.c
Kconfig tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
last.c
Makefile
sound_core.c sound: push BKL into open functions 2010-07-12 17:41:05 +02:00
sound_firmware.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00