diff --git a/alsa-prevent-heap-corruption-in-snd_ctl_new.patch b/alsa-prevent-heap-corruption-in-snd_ctl_new.patch new file mode 100644 index 0000000..0dbab01 --- /dev/null +++ b/alsa-prevent-heap-corruption-in-snd_ctl_new.patch @@ -0,0 +1,46 @@ +From: Dan Rosenberg +Date: Tue, 28 Sep 2010 18:18:20 +0000 (-0400) +Subject: ALSA: prevent heap corruption in snd_ctl_new() +X-Git-Tag: v2.6.36-rc7~12^2~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftiwai%2Fsound-2.6.git;a=commitdiff_plain;h=5591bf07225523600450edd9e6ad258bb877b779 + +ALSA: prevent heap corruption in snd_ctl_new() + +The snd_ctl_new() function in sound/core/control.c allocates space for a +snd_kcontrol struct by performing arithmetic operations on a +user-provided size without checking for integer overflow. If a user +provides a large enough size, an overflow will occur, the allocated +chunk will be too small, and a second user-influenced value will be +written repeatedly past the bounds of this chunk. This code is +reachable by unprivileged users who have permission to open +a /dev/snd/controlC* device (on many distros, this is group "audio") via +the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. + +Signed-off-by: Dan Rosenberg +Cc: +Signed-off-by: Takashi Iwai +--- + +diff --git a/sound/core/control.c b/sound/core/control.c +index 070aab4..45a8180 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -31,6 +31,7 @@ + + /* max number of user-defined controls */ + #define MAX_USER_CONTROLS 32 ++#define MAX_CONTROL_COUNT 1028 + + struct snd_kctl_ioctl { + struct list_head list; /* list of all ioctls */ +@@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control, + + if (snd_BUG_ON(!control || !control->count)) + return NULL; ++ ++ if (control->count > MAX_CONTROL_COUNT) ++ return NULL; ++ + kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL); + if (kctl == NULL) { + snd_printk(KERN_ERR "Cannot allocate control instance\n"); diff --git a/kernel.spec b/kernel.spec index 5cffb70..fc9ad9d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -885,6 +885,8 @@ Patch13910: v4l1-fix-32-bit-compat-microcode-loading-translation.patch Patch13911: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch # CVE-2010-3705 Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch +# CVE-2010-3442 +Patch13913: alsa-prevent-heap-corruption-in-snd_ctl_new.patch %endif @@ -1695,6 +1697,8 @@ ApplyPatch v4l1-fix-32-bit-compat-microcode-loading-translation.patch ApplyPatch kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch # CVE-2010-3705 ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch +# CVE-2010-3442 +ApplyPatch alsa-prevent-heap-corruption-in-snd_ctl_new.patch # END OF PATCH APPLICATIONS @@ -2322,6 +2326,7 @@ fi - CVE-2010-2963: v4l: VIDIOCSMICROCODE arbitrary write - CVE-2010-3698: kvm: invalid selector in fs/gs causes kernel panic - CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() +- CVE-2010-3442: ALSA: prevent heap corruption in snd_ctl_new() * Thu Dec 09 2010 Kyle McMartin - ioat2-catch-and-recover-from-broken-vtd-configurations.patch: copy patch