diff options
author | Dan Rosenberg <drosenberg@vsecurity.com> | 2010-09-28 20:18:20 +0200 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2010-09-28 21:33:16 +0200 |
commit | 5591bf07225523600450edd9e6ad258bb877b779 (patch) | |
tree | f886a48ec51861e74c79eca3052adeb9646d1534 /sound/i2c | |
parent | ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory (diff) | |
download | linux-5591bf07225523600450edd9e6ad258bb877b779.tar.xz linux-5591bf07225523600450edd9e6ad258bb877b779.zip |
ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow. If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk. This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/i2c')
0 files changed, 0 insertions, 0 deletions