[linux] 01/02: ALSA: compress: fix an integer overflow check (CVE-2014-9904)

Sat Jul 2 09:40:41 UTC 2016

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 49084137190eac5aa9a2308be211dc6aa2f7de0f
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jul 2 11:32:44 2016 +0200

    ALSA: compress: fix an integer overflow check (CVE-2014-9904)
---
 debian/changelog                                   |  4 +++
 ...sa-compress-fix-an-integer-overflow-check.patch | 31 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 36 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 394d8d3..1131fcc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,14 @@
 linux (3.16.7-ckt25-2+deb8u3) UNRELEASED; urgency=medium
 
+  [ Salvatore Bonaccorso ]
   * Revert "netfilter: ensure number of counters is >0 in do_replace()"
     Fixes regression introduced in 3.16.7-ckt25-2+deb8u2. Setting rules with
     ebtables did not work any more.
     Thanks to Jacob Lundberg <jacob at collegenet.com> (Closes: #828914)
 
+  [ Ben Hutchings ]
+  * ALSA: compress: fix an integer overflow check (CVE-2014-9904)
+
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 02 Jul 2016 11:22:39 +0200
 
 linux (3.16.7-ckt25-2+deb8u2) jessie-security; urgency=high
diff --git a/debian/patches/bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch b/debian/patches/bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
new file mode 100644
index 0000000..355f805
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
@@ -0,0 +1,31 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Wed, 16 Jul 2014 09:37:04 +0300
+Subject: ALSA: compress: fix an integer overflow check
+Origin: https://git.kernel.org/linus/6217e5ede23285ddfee10d2e4ba0cc2d4c046205
+
+I previously added an integer overflow check here but looking at it now,
+it's still buggy.
+
+The bug happens in snd_compr_allocate_buffer().  We multiply
+".fragments" and ".fragment_size" and that doesn't overflow but then we
+save it in an unsigned int so it truncates the high bits away and we
+allocate a smaller than expected size.
+
+Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/compress_offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -500,7 +500,7 @@ static int snd_compress_check_input(stru
+ {
+ 	/* first let's check the buffer parameter's */
+ 	if (params->buffer.fragment_size == 0 ||
+-			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
++	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
+ 		return -EINVAL;
+ 
+ 	/* now codec parameters */
diff --git a/debian/patches/series b/debian/patches/series
index 9740c31..5e09c3d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -724,3 +724,4 @@ bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch
 debian/migrate-fix-abi-change-in-3.16.36.patch
 bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
 bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
+bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

