ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk. This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
parent
e68d3b316a
commit
5591bf0722
|
@ -31,6 +31,7 @@
|
||||||
|
|
||||||
/* max number of user-defined controls */
|
/* max number of user-defined controls */
|
||||||
#define MAX_USER_CONTROLS 32
|
#define MAX_USER_CONTROLS 32
|
||||||
|
#define MAX_CONTROL_COUNT 1028
|
||||||
|
|
||||||
struct snd_kctl_ioctl {
|
struct snd_kctl_ioctl {
|
||||||
struct list_head list; /* list of all ioctls */
|
struct list_head list; /* list of all ioctls */
|
||||||
|
@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
|
||||||
|
|
||||||
if (snd_BUG_ON(!control || !control->count))
|
if (snd_BUG_ON(!control || !control->count))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
if (control->count > MAX_CONTROL_COUNT)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
|
kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
|
||||||
if (kctl == NULL) {
|
if (kctl == NULL) {
|
||||||
snd_printk(KERN_ERR "Cannot allocate control instance\n");
|
snd_printk(KERN_ERR "Cannot allocate control instance\n");
|
||||||
|
|
Reference in New Issue