[kernel] r16832 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Mon Jan 17 20:11:37 2011
New Revision: 16832

Log:
sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 20:07:18 2011	(r16831)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 20:11:37 2011	(r16832)
@@ -20,6 +20,7 @@
   * econet: Fix crash in aun_incoming() (CVE-2010-4343)
   * install_special_mapping skips security_file_mmap check (CVE-2010-4346)
   * sctp: a race between ICMP protocol unreachable and connect() (CVE-2010-4526)
+  * sound: Prevent buffer overflow in OSS load_mixer_volumes (CVE-2010-4527)
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch	Mon Jan 17 20:11:37 2011	(r16832)
@@ -0,0 +1,42 @@
+commit ac371cc6a575e3f38e5f7d80f8ad3fbf1096041e
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Sat Dec 25 16:23:40 2010 -0500
+
+    sound: Prevent buffer overflow in OSS load_mixer_volumes
+    
+    The load_mixer_volumes() function, which can be triggered by
+    unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
+    a buffer overflow.  Because the provided "name" argument isn't
+    guaranteed to be NULL terminated at the expected 32 bytes, it's possible
+    to overflow past the end of the last element in the mixer_vols array.
+    Further exploitation can result in an arbitrary kernel write (via
+    subsequent calls to load_mixer_volumes()) leading to privilege
+    escalation, or arbitrary kernel reads via get_mixer_levels().  In
+    addition, the strcmp() may leak bytes beyond the mixer_vols array.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Cc: stable <stable at kernel.org>
+    Signed-off-by: Takashi Iwai <tiwai at suse.de>
+
+diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
+index a9c23b2..eac3c00 100644
+--- a/sound/oss/soundcard.c
++++ b/sound/oss/soundcard.c
+@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ 	int             i, n;
+ 
+ 	for (i = 0; i < num_mixer_volumes; i++) {
+-		if (strcmp(name, mixer_vols[i].name) == 0) {
++		if (strncmp(name, mixer_vols[i].name, 32) == 0) {
+ 			if (present)
+ 				mixer_vols[i].num = i;
+ 			return mixer_vols[i].levels;
+@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+ 	}
+ 	n = num_mixer_volumes++;
+ 
+-	strcpy(mixer_vols[n].name, name);
++	strncpy(mixer_vols[n].name, name, 32);
+ 
+ 	if (present)
+ 		mixer_vols[n].num = n;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 20:07:18 2011	(r16831)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 20:11:37 2011	(r16832)
@@ -17,3 +17,4 @@
 + bugfix/all/econet-fix-crash-in-aun_incoming.patch
 + bugfix/all/install_special_mapping-skips-security_file_mmap_check.patch
 + bugfix/all/sctp-fix-race-between-ICMP-protocol-unreachable-and-connect.patch
++ bugfix/all/sound-prevent-buffer-overflow-in-OSS-load_mixer_volumes.patch