[PATCH] ALSA: control: Make sure that id->index does not overflow in function snd_ctl_replace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Young_X <YangX92@xxxxxxxxxxx>

    The ALSA control code expects that the range of assigned indices to a 
    control is continuous and does not overflow. Currently there are no 
    checks to enforce this.
    If a control with a overflowing index range is created that control 
    becomes effectively inaccessible and unremovable since 
    snd_ctl_find_id() will not be able to find it. This patch adds a check 
    that makes sure that controls with a overflowing index range can not 
    be created.
    (same issue as CVE-2014-4656)

Signed-off-by: Young_X <YangX92@xxxxxxxxxxx>
---
 sound/core/control.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sound/core/control.c b/sound/core/control.c
index 9aa15bf..6435772 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -441,6 +441,11 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
 		goto error;
 	}
 	id = kcontrol->id;
+	if (id.index > UINT_MAX - kcontrol->count) {
+		ret = -EINVAL;
+		goto error;
+	}
+
 	down_write(&card->controls_rwsem);
 	old = snd_ctl_find_id(card, &id);
 	if (!old) {
-- 
2.7.4

_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel



[Index of Archives]     [ALSA User]     [Linux Audio Users]     [Kernel Archive]     [Asterisk PBX]     [Photo Sharing]     [Linux Sound]     [Video 4 Linux]     [Gimp]     [Yosemite News]

  Powered by Linux