Sophie: kernel-2.6.18-238.19.1.el5.centos.plus src

kernel-2.6.18-238.19.1.el5.centos.plus.src.rpm

From: Stanislaw Gruszka <sgruszka@redhat.com>
Date: Fri, 12 Nov 2010 09:30:20 -0500
Subject: [sound] rme9652: prevent reading uninitialized stack mem
Message-id: <20101112093013.GA9383@redhat.com>
Patchwork-id: 29201
O-Subject: [RHEL5 PATCH] ALSA: sound/pci/rme9652: prevent reading uninitialized
	stack memory
Bugzilla: 648709 648714
CVE: CVE-2010-4080 CVE-2010-4081
RH-Acked-by: Jaroslav Kysela <jkysela@redhat.com>
RH-Acked-by: Prarit Bhargava <prarit@redhat.com>
RH-Acked-by: Dean Nelson <dnelson@redhat.com>

BZ#648714
BZ#648709

Backport of:

commit e68d3b316ab7b02a074edc4f770e6a746390cb7d
Author: Dan Rosenberg <drosenberg@vsecurity.com>
Date:   Sat Sep 25 11:07:27 2010 -0400

    ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory

    The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
    SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
    unprivileged users to read uninitialized kernel stack memory, because
    several fields of the hdsp{m}_config_info structs declared on the stack
    are not altered or zeroed before being copied back to the user.  This
    patch takes care of it.

    Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
    Cc: <stable@kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>


diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
index 65810e7..b49352e 100644
--- a/sound/pci/rme9652/hdsp.c
+++ b/sound/pci/rme9652/hdsp.c
@@ -4519,6 +4519,7 @@ static int snd_hdsp_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, unsigne
 			snd_printk(KERN_ERR "Hammerfall-DSP: Firmware needs to be uploaded to the card.\n");	
 			return -EINVAL;
 		}
+		memset(&info, 0, sizeof(info));
 		spin_lock_irqsave(&hdsp->lock, flags);
 		info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
 		info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
index e116947..4b6d8ac 100644
--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -4082,6 +4082,7 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep * hw, struct file *file,
 
 	case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
 
+		memset(&info, 0, sizeof(info));
 		spin_lock_irq(&hdspm->lock);
 		info.pref_sync_ref =
 		    (unsigned char) hdspm_pref_sync_ref(hdspm);