[kernel] r16485 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Oct 25 02:21:21 UTC 2010
Author: dannf
Date: Mon Oct 25 02:21:18 2010
New Revision: 16485
Log:
ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:21:07 2010 (r16484)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Oct 25 02:21:18 2010 (r16485)
@@ -7,6 +7,7 @@
* rose: Fix signedness issues wrt. digi count (CVE-2010-3310)
* sctp: Do not reset the packet during sctp_packet_config() (CVE-2010-3432)
* Fix pktcdvd ioctl dev_minor range check (CVE-2010-3437)
+ * ALSA: prevent heap corruption in snd_ctl_new() (CVE-2010-3442)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch Mon Oct 25 02:21:18 2010 (r16485)
@@ -0,0 +1,45 @@
+commit 67457795003ba0ca32157a893827e456ad45c420
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Tue Sep 28 14:18:20 2010 -0400
+
+ [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ ALSA: prevent heap corruption in snd_ctl_new()
+
+ The snd_ctl_new() function in sound/core/control.c allocates space for a
+ snd_kcontrol struct by performing arithmetic operations on a
+ user-provided size without checking for integer overflow. If a user
+ provides a large enough size, an overflow will occur, the allocated
+ chunk will be too small, and a second user-influenced value will be
+ written repeatedly past the bounds of this chunk. This code is
+ reachable by unprivileged users who have permission to open
+ a /dev/snd/controlC* device (on many distros, this is group "audio") via
+ the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/core/control.c b/sound/core/control.c
+index 7ac4bbb..8618aa0 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -31,6 +31,7 @@
+
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS 32
++#define MAX_CONTROL_COUNT 1028
+
+ struct snd_kctl_ioctl {
+ struct list_head list; /* list of all ioctls */
+@@ -190,6 +191,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
+
+ snd_assert(control != NULL, return NULL);
+ snd_assert(control->count > 0, return NULL);
++
++ if (control->count > MAX_CONTROL_COUNT)
++ return NULL;
++
+ kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ if (kctl == NULL) {
+ snd_printk(KERN_ERR "Cannot allocate control instance\n");
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:21:07 2010 (r16484)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Mon Oct 25 02:21:18 2010 (r16485)
@@ -5,3 +5,4 @@
+ bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch
+ bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
+ bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch
++ bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
More information about the Kernel-svn-changes
mailing list