ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk. This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Dan Rosenberg
Takashi Iwai
parent
e68d3b316a
commit
5591bf0722
1 changed files with 5 additions and 0 deletions
|
|
@ -31,6 +31,7 @@
|
|||
|
||||
/* max number of user-defined controls */
|
||||
#define MAX_USER_CONTROLS 32
|
||||
#define MAX_CONTROL_COUNT 1028
|
||||
|
||||
struct snd_kctl_ioctl {
|
||||
struct list_head list; /* list of all ioctls */
|
||||
|
|
@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
|
|||
|
||||
if (snd_BUG_ON(!control || !control->count))
|
||||
return NULL;
|
||||
|
||||
if (control->count > MAX_CONTROL_COUNT)
|
||||
return NULL;
|
||||
|
||||
kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
|
||||
if (kctl == NULL) {
|
||||
snd_printk(KERN_ERR "Cannot allocate control instance\n");
|
||||
|
|
|
|||
Loading…
Reference in a new issue