summaryrefslogtreecommitdiffstats
path: root/sound/i2c
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2010-09-28 20:18:20 +0200
committerTakashi Iwai <tiwai@suse.de>2010-09-28 21:33:16 +0200
commit5591bf07225523600450edd9e6ad258bb877b779 (patch)
treef886a48ec51861e74c79eca3052adeb9646d1534 /sound/i2c
parentALSA: sound/pci/rme9652: prevent reading uninitialized stack memory (diff)
downloadlinux-5591bf07225523600450edd9e6ad258bb877b779.tar.xz
linux-5591bf07225523600450edd9e6ad258bb877b779.zip
ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk. This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/i2c')
0 files changed, 0 insertions, 0 deletions