[kernel] r16441 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Thu Oct 14 06:50:39 2010
New Revision: 16441

Log:
ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/25

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Oct 14 06:50:12 2010	(r16440)
+++ dists/sid/linux-2.6/debian/changelog	Thu Oct 14 06:50:39 2010	(r16441)
@@ -38,6 +38,7 @@
   * niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (CVE-2010-3084)
   * rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
   * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
+  * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
 
  -- dann frazier <dannf at debian.org>  Wed, 13 Oct 2010 23:44:55 -0600
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch	Thu Oct 14 06:50:39 2010	(r16441)
@@ -0,0 +1,43 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit 5591bf07225523600450edd9e6ad258bb877b779
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Tue Sep 28 14:18:20 2010 -0400
+
+    ALSA: prevent heap corruption in snd_ctl_new()
+    
+    The snd_ctl_new() function in sound/core/control.c allocates space for a
+    snd_kcontrol struct by performing arithmetic operations on a
+    user-provided size without checking for integer overflow.  If a user
+    provides a large enough size, an overflow will occur, the allocated
+    chunk will be too small, and a second user-influenced value will be
+    written repeatedly past the bounds of this chunk.  This code is
+    reachable by unprivileged users who have permission to open
+    a /dev/snd/controlC* device (on many distros, this is group "audio") via
+    the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+--- a/sound/core/control.c	2009-12-02 20:51:21.000000000 -0700
++++ b/sound/core/control.c	2010-10-14 00:43:09.342659768 -0600
+@@ -31,6 +31,7 @@
+ 
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS	32
++#define MAX_CONTROL_COUNT	1028
+ 
+ struct snd_kctl_ioctl {
+ 	struct list_head list;		/* list of all ioctls */
+@@ -190,6 +191,10 @@ static struct snd_kcontrol *snd_ctl_new(
+ 	
+ 	if (snd_BUG_ON(!control || !control->count))
+ 		return NULL;
++
++	if (control->count > MAX_CONTROL_COUNT)
++		return NULL;
++
+ 	kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ 	if (kctl == NULL) {
+ 		snd_printk(KERN_ERR "Cannot allocate control instance\n");

Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 06:50:12 2010	(r16440)
+++ dists/sid/linux-2.6/debian/patches/series/25	Thu Oct 14 06:50:39 2010	(r16441)
@@ -28,3 +28,4 @@
 + bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
 + bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
 + bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
++ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch