linux-hardened/sound/oss
Dan Rosenberg d81a12bc29 sound: Prevent buffer overflow in OSS load_mixer_volumes
The load_mixer_volumes() function, which can be triggered by
unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
a buffer overflow.  Because the provided "name" argument isn't
guaranteed to be NULL terminated at the expected 32 bytes, it's possible
to overflow past the end of the last element in the mixer_vols array.
Further exploitation can result in an arbitrary kernel write (via
subsequent calls to load_mixer_volumes()) leading to privilege
escalation, or arbitrary kernel reads via get_mixer_levels().  In
addition, the strcmp() may leak bytes beyond the mixer_vols array.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-12-30 13:20:55 +01:00
..
dmasound sound: autoconvert trivial BKL users to private mutex 2010-09-14 23:14:50 +02:00
.gitignore
ac97_codec.c Update broken web addresses in the kernel. 2010-10-18 11:03:14 +02:00
ad1848.c sound/oss: Adjust confusing if indentation 2010-08-06 09:59:24 +02:00
ad1848.h [PATCH] The scheduled removal of some OSS drivers 2006-10-04 07:55:32 -07:00
ad1848_mixer.h fix file specification in comments 2006-10-03 23:01:26 +02:00
aedsp16.c sound: aedsp16: Buffer overflow 2009-07-29 14:37:12 +02:00
au1550_ac97.c sound: autoconvert trivial BKL users to private mutex 2010-09-14 23:14:50 +02:00
audio.c sound: OSS: fix error return in dma_ioctl() 2009-11-12 21:09:45 +01:00
bin2hex.c
CHANGELOG
coproc.h sound/oss/coproc.h: Checkpatch cleanup 2010-03-02 11:22:19 +01:00
dev_table.c sound/oss/dev_table.c: Use vzalloc 2010-11-11 01:54:32 +01:00
dev_table.h [PATCH] kill sound/oss/*_syms.c 2006-10-04 07:55:32 -07:00
dmabuf.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hex2hex.c oss: Mark loadhex static in hex2hex.c 2009-11-15 15:01:42 -08:00
kahlua.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
Kconfig SOUND-OSS: Remove sh_dac_audio 2010-09-23 08:10:32 +02:00
Makefile SOUND-OSS: Remove sh_dac_audio 2010-09-23 08:10:32 +02:00
midi_ctrl.h
midi_synth.c sound: oss: midi_synth: check get_user() return value 2010-07-29 12:25:06 +02:00
midi_synth.h
midibuf.c sound/oss: Remove unnecessary casts of void ptr 2010-11-11 01:59:04 +01:00
mpu401.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mpu401.h IRQ: Maintain regs pointer globally rather than passing to IRQ handlers 2006-10-05 15:10:12 +01:00
msnd.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
msnd.h [PATCH] introduce fmode_t, do annotations 2008-10-21 07:47:06 -04:00
msnd_classic.c
msnd_classic.h sound: sound/oss/: remove CVS keywords 2008-05-27 15:56:20 +02:00
msnd_pinnacle.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 2010-10-25 08:32:05 -07:00
msnd_pinnacle.h sound: sound/oss/: remove CVS keywords 2008-05-27 15:56:20 +02:00
opl3.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
opl3_hw.h
os.h [PATCH] mark struct file_operations const 9 2007-02-12 09:48:46 -08:00
pas2.h
pas2_card.c sound: OSS: missing parentheses in pas2_card.c 2009-02-18 11:37:51 +01:00
pas2_midi.c fix file specification in comments 2006-10-03 23:01:26 +02:00
pas2_mixer.c fix file specification in comments 2006-10-03 23:01:26 +02:00
pas2_pcm.c time: move PIT_TICK_RATE to linux/timex.h 2009-06-16 19:47:27 -07:00
pss.c sound/oss: Remove unnecessary casts of void ptr 2010-11-11 01:59:04 +01:00
README.FIRST
sb.h
sb_audio.c fix file specification in comments 2006-10-03 23:01:26 +02:00
sb_card.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sb_card.h
sb_common.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sb_ess.c sound/oss/sb_ess.c: delete double assignment 2010-10-26 21:28:05 +02:00
sb_ess.h
sb_midi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sb_mixer.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sb_mixer.h fix file specification in comments 2006-10-03 23:01:26 +02:00
sequencer.c sound/oss: Remove unnecessary casts of void ptr 2010-11-11 01:59:04 +01:00
sound_calls.h [PATCH] kill sound/oss/*_syms.c 2006-10-04 07:55:32 -07:00
sound_config.h sound: oss: off by one bug 2010-01-08 09:17:51 +01:00
sound_firmware.h
sound_timer.c sound: oss: fix uninitialized spinlock 2010-08-28 11:57:54 +02:00
soundcard.c sound: Prevent buffer overflow in OSS load_mixer_volumes 2010-12-30 13:20:55 +01:00
soundvers.h
swarm_cs4297a.c sound: autoconvert trivial BKL users to private mutex 2010-09-14 23:14:50 +02:00
sys_timer.c trivial: remove unnecessary semicolons 2009-09-21 15:14:58 +02:00
trix.c fix file specification in comments 2006-10-03 23:01:26 +02:00
tuning.h [PATCH] The scheduled removal of some OSS drivers 2006-10-04 07:55:32 -07:00
uart401.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
uart6850.c IRQ: Maintain regs pointer globally rather than passing to IRQ handlers 2006-10-05 15:10:12 +01:00
ulaw.h
v_midi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
v_midi.h sound/oss/v_midi.h: Checkpatch cleanup 2010-03-02 11:22:08 +01:00
vidc.c sound/oss: Remove dead CONFIG_SOFTOSS* 2010-07-21 15:02:46 +02:00
vidc.h IRQ: Maintain regs pointer globally rather than passing to IRQ handlers 2006-10-05 15:10:12 +01:00
vidc_fill.S [ARM] Move include/asm-arm/arch-* to arch/arm/*/include/mach 2008-08-07 09:55:48 +01:00
vwsnd.c sound: autoconvert trivial BKL users to private mutex 2010-09-14 23:14:50 +02:00
waveartist.c sound: oss: waveartist: simplify waveartist_sleep() 2010-07-26 10:33:41 +02:00
waveartist.h fix file specification in comments 2006-10-03 23:01:26 +02:00

The modular sound driver patches were funded by Red Hat Software 
(www.redhat.com). The sound driver here is thus a modified version of 
Hannu's code. Please bear that in mind when considering the appropriate
forums for bug reporting. 

Alan Cox