[kernel] r16441 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 14 06:50:46 UTC 2010
Author: dannf
Date: Thu Oct 14 06:50:39 2010
New Revision: 16441
Log:
ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/25
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Oct 14 06:50:12 2010 (r16440)
+++ dists/sid/linux-2.6/debian/changelog Thu Oct 14 06:50:39 2010 (r16441)
@@ -38,6 +38,7 @@
* niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (CVE-2010-3084)
* rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
* Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
+ * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
-- dann frazier <dannf at debian.org> Wed, 13 Oct 2010 23:44:55 -0600
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch Thu Oct 14 06:50:39 2010 (r16441)
@@ -0,0 +1,43 @@
+[Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>]
+
+commit 5591bf07225523600450edd9e6ad258bb877b779
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Tue Sep 28 14:18:20 2010 -0400
+
+ ALSA: prevent heap corruption in snd_ctl_new()
+
+ The snd_ctl_new() function in sound/core/control.c allocates space for a
+ snd_kcontrol struct by performing arithmetic operations on a
+ user-provided size without checking for integer overflow. If a user
+ provides a large enough size, an overflow will occur, the allocated
+ chunk will be too small, and a second user-influenced value will be
+ written repeatedly past the bounds of this chunk. This code is
+ reachable by unprivileged users who have permission to open
+ a /dev/snd/controlC* device (on many distros, this is group "audio") via
+ the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+--- a/sound/core/control.c 2009-12-02 20:51:21.000000000 -0700
++++ b/sound/core/control.c 2010-10-14 00:43:09.342659768 -0600
+@@ -31,6 +31,7 @@
+
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS 32
++#define MAX_CONTROL_COUNT 1028
+
+ struct snd_kctl_ioctl {
+ struct list_head list; /* list of all ioctls */
+@@ -190,6 +191,10 @@ static struct snd_kcontrol *snd_ctl_new(
+
+ if (snd_BUG_ON(!control || !control->count))
+ return NULL;
++
++ if (control->count > MAX_CONTROL_COUNT)
++ return NULL;
++
+ kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ if (kctl == NULL) {
+ snd_printk(KERN_ERR "Cannot allocate control instance\n");
Modified: dists/sid/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 06:50:12 2010 (r16440)
+++ dists/sid/linux-2.6/debian/patches/series/25 Thu Oct 14 06:50:39 2010 (r16441)
@@ -28,3 +28,4 @@
+ bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch
+ bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
+ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
++ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
More information about the Kernel-svn-changes
mailing list