diff options
author | Lars-Peter Clausen <lars@metafoo.de> | 2014-06-18 13:32:35 +0200 |
---|---|---|
committer | Stefan Bader <stefan.bader@canonical.com> | 2014-11-25 15:20:24 +0100 |
commit | 6f3a1969e01df2b9137b4032917da17a77bd777e (patch) | |
tree | 578b459fb9a1ae604f9de2f2815f6c10be39c9e0 | |
parent | aab0f17d0e2fdb067e23768add2302e35a33c332 (diff) | |
download | linux-2.6.32.y-drm33.z-6f3a1969e01df2b9137b4032917da17a77bd777e.tar.gz |
ALSA: control: Make sure that id->index does not overflow
The ALSA control code expects that the range of assigned indices to a control is
continuous and does not overflow. Currently there are no checks to enforce this.
If a control with a overflowing index range is created that control becomes
effectively inaccessible and unremovable since snd_ctl_find_id() will not be
able to find it. This patch adds a check that makes sure that controls with a
overflowing index range can not be created.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e)
[wt: part 1 of CVE-2014-4656 fix]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-rw-r--r-- | sound/core/control.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sound/core/control.c b/sound/core/control.c index 7834a5438f756..80bb3ed7c5485 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -328,6 +328,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol) if (snd_BUG_ON(!card || !kcontrol->info)) goto error; id = kcontrol->id; + if (id.index > UINT_MAX - kcontrol->count) + goto error; + down_write(&card->controls_rwsem); if (snd_ctl_find_id(card, &id)) { up_write(&card->controls_rwsem); |