diff options
author | Dan Rosenberg <drosenberg@vsecurity.com> | 2010-09-28 14:18:20 -0400 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2010-09-28 15:33:16 -0400 |
commit | 5591bf07225523600450edd9e6ad258bb877b779 (patch) | |
tree | f886a48ec51861e74c79eca3052adeb9646d1534 /README | |
parent | e68d3b316ab7b02a074edc4f770e6a746390cb7d (diff) |
ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow. If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk. This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'README')
0 files changed, 0 insertions, 0 deletions