[CVE-2011-1169][Maverick][PATCH] ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl, CVE-2011-1169
John Johansen
john.johansen at canonical.com
Thu May 19 20:55:35 UTC 2011
On 05/19/2011 01:21 PM, Herton Ronaldo Krzesinski wrote:
> From: Dan Rosenberg <drosenberg at vsecurity.com>
>
> CVE-2011-1169
>
> BugLink: http://bugs.launchpad.net/bugs/785331
>
> Released until now with stable versions 2.6.37.5, 2.6.38.1
>
> The user-supplied index into the adapters array needs to be checked, or
> an out-of-bounds kernel pointer could be accessed and used, leading to
> potentially exploitable memory corruption.
>
> Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
> Cc: <stable at kernel.org>
> Signed-off-by: Takashi Iwai <tiwai at suse.de>
> (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
> Signed-off-by: Herton Krzesinski <herton.krzesinski at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> sound/pci/asihpi/hpioctl.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 7396ac5..7b600f7 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> goto out;
> }
>
> + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
> + err = -EINVAL;
> + goto out;
> + }
> +
> pa = &adapters[hm->h.adapter_index];
> hr->h.size = 0;
> if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
More information about the kernel-team
mailing list