[kernel] r16485 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Mon Oct 25 02:21:18 2010
New Revision: 16485

Log:
ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:21:07 2010	(r16484)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Oct 25 02:21:18 2010	(r16485)
@@ -7,6 +7,7 @@
   * rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
   * sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)
   * Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
+  * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch	Mon Oct 25 02:21:18 2010	(r16485)
@@ -0,0 +1,45 @@
+commit 67457795003ba0ca32157a893827e456ad45c420
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Tue Sep 28 14:18:20 2010 -0400
+
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    ALSA: prevent heap corruption in snd_ctl_new()
+    
+    The snd_ctl_new() function in sound/core/control.c allocates space for a
+    snd_kcontrol struct by performing arithmetic operations on a
+    user-provided size without checking for integer overflow.  If a user
+    provides a large enough size, an overflow will occur, the allocated
+    chunk will be too small, and a second user-influenced value will be
+    written repeatedly past the bounds of this chunk.  This code is
+    reachable by unprivileged users who have permission to open
+    a /dev/snd/controlC* device (on many distros, this is group "audio") via
+    the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/core/control.c b/sound/core/control.c
+index 7ac4bbb..8618aa0 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -31,6 +31,7 @@
+ 
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS	32
++#define MAX_CONTROL_COUNT	1028
+ 
+ struct snd_kctl_ioctl {
+ 	struct list_head list;		/* list of all ioctls */
+@@ -190,6 +191,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
+ 	
+ 	snd_assert(control != NULL, return NULL);
+ 	snd_assert(control->count > 0, return NULL);
++
++	if (control->count > MAX_CONTROL_COUNT)
++		return NULL;
++
+ 	kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ 	if (kctl == NULL) {
+ 		snd_printk(KERN_ERR "Cannot allocate control instance\n");

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:21:07 2010	(r16484)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Mon Oct 25 02:21:18 2010	(r16485)
@@ -5,3 +5,4 @@
 + bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
 + bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
 + bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
++ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch