36 lines
1.1 KiB
Plaintext
36 lines
1.1 KiB
Plaintext
|
From 4a122c10fbfe9020df469f0f669da129c5757671 Mon Sep 17 00:00:00 2001
|
||
|
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
||
|
Date: Thu, 17 Mar 2011 18:32:24 -0400
|
||
|
Subject: [PATCH] ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl
|
||
|
Git-commit: 4a122c10fbfe9020df469f0f669da129c5757671
|
||
|
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6.git
|
||
|
Patch-mainline: 2.6.39-rc1
|
||
|
References: bnc#680816
|
||
|
|
||
|
The user-supplied index into the adapters array needs to be checked, or
|
||
|
an out-of-bounds kernel pointer could be accessed and used, leading to
|
||
|
potentially exploitable memory corruption.
|
||
|
|
||
|
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
||
|
Cc: <stable@kernel.org>
|
||
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||
|
|
||
|
---
|
||
|
sound/pci/asihpi/hpioctl.c | 5 +++++
|
||
|
1 file changed, 5 insertions(+)
|
||
|
|
||
|
--- a/sound/pci/asihpi/hpioctl.c
|
||
|
+++ b/sound/pci/asihpi/hpioctl.c
|
||
|
@@ -155,6 +155,11 @@
|
||
|
goto out;
|
||
|
}
|
||
|
|
||
|
+ if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
|
||
|
+ err = -EINVAL;
|
||
|
+ goto out;
|
||
|
+ }
|
||
|
+
|
||
|
pa = &adapters[hm->h.adapter_index];
|
||
|
hr->h.size = 0;
|
||
|
if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
|