From: Jerome Marchand <jmarchan@redhat.com> Date: Fri, 15 Oct 2010 14:12:10 -0400 Subject: [sound] core: prevent heap corruption in snd_ctl_new Message-id: <4CB8613A.802@redhat.com> Patchwork-id: 28763 O-Subject: [PATCH RHEL5.6] CVE-2010-3442 kernel: prevent heap corruption in snd_ctl_new() Bugzilla: 638484 CVE: CVE-2010-3442 RH-Acked-by: Jiri Olsa <jolsa@redhat.com> RH-Acked-by: Bob Picco <bpicco@redhat.com> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=638484 This is a backport from: commit 5591bf07225523600450edd9e6ad258bb877b779 Author: Dan Rosenberg <drosenberg@vsecurity.com> Date: Tue Sep 28 14:18:20 2010 -0400 ALSA: prevent heap corruption in snd_ctl_new() The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk. This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. Tested with the reproducer provided in bz. Regards, Jerome diff --git a/sound/core/control.c b/sound/core/control.c index 2448150..c066f5d 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -33,6 +33,7 @@ /* max number of user-defined controls */ #define MAX_USER_CONTROLS 32 +#define MAX_CONTROL_COUNT 1028 struct snd_kctl_ioctl { struct list_head list; /* list of all ioctls */ @@ -190,6 +191,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control, snd_assert(control != NULL, return NULL); snd_assert(control->count > 0, return NULL); + + if (control->count > MAX_CONTROL_COUNT) + return NULL; + kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL); if (kctl == NULL) { snd_printk(KERN_ERR "Cannot allocate control instance\n");