[ 3.8.y.z extended stable ] Patch "ASoC: ab8500-codec: info leak in anc_status_control_put()" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Wed Oct 9 20:51:19 UTC 2013 

This is a note to let you know that I have just added a patch titled

    ASoC: ab8500-codec: info leak in anc_status_control_put()

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.11.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 47688235d094365aaa998aa4154e298aac4688b8 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter at oracle.com>
Date: Fri, 13 Sep 2013 10:53:36 +0300
Subject: ASoC: ab8500-codec: info leak in anc_status_control_put()

commit d63733aed90b432e5cc489ddfa28e342f91b4652 upstream.

If the user passes an invalid value it leads to an info leak when we
print the error message or it could oops.  This is called with user
supplied data from snd_ctl_elem_write().

Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Mark Brown <broonie at linaro.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 sound/soc/codecs/ab8500-codec.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sound/soc/codecs/ab8500-codec.c b/sound/soc/codecs/ab8500-codec.c
index 6c12ac2..52509dd 100644
--- a/sound/soc/codecs/ab8500-codec.c
+++ b/sound/soc/codecs/ab8500-codec.c
@@ -1225,13 +1225,18 @@ static int anc_status_control_put(struct snd_kcontrol *kcontrol,
 	struct ab8500_codec_drvdata *drvdata = dev_get_drvdata(codec->dev);
 	struct device *dev = codec->dev;
 	bool apply_fir, apply_iir;
-	int req, status;
+	unsigned int req;
+	int status;

 	dev_dbg(dev, "%s: Enter.\n", __func__);

 	mutex_lock(&drvdata->anc_lock);

 	req = ucontrol->value.integer.value[0];
+	if (req >= ARRAY_SIZE(enum_anc_state)) {
+		status = -EINVAL;
+		goto cleanup;
+	}
 	if (req != ANC_APPLY_FIR_IIR && req != ANC_APPLY_FIR &&
 		req != ANC_APPLY_IIR) {
 		dev_err(dev, "%s: ERROR: Unsupported status to set '%s'!\n",
--
1.8.1.2

More information about the kernel-team mailing list