1 files changed, 46 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
new file mode 100644
index 0000000..2065780
--- /dev/null
+++ b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
@@ -0,0 +1,46 @@
+From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Wed, 18 Jun 2014 13:32:34 +0200
+Subject: [PATCH] ALSA: control: Handle numid overflow
+commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.
+Each control gets automatically assigned its numids when the control is created.
+The allocation is done by incrementing the numid by the amount of allocated
+numids per allocation. This means that excessive creation and destruction of
+controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
+eventually overflow. Currently when this happens for the control that caused the
+overflow kctl->id.numid + kctl->count will also over flow causing it to be
+smaller than kctl->id.numid. Most of the code assumes that this is something
+that can not happen, so we need to make sure that it won't happen
+Fixes CVE-2014-4656
+Upstream-Status: Backport
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ sound/core/control.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/sound/core/control.c b/sound/core/control.c
+index d4a597f..93215b4 100644
+--- a/sound/core/control.c
+++ b/sound/core/control.c
+@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
+ {
+        struct snd_kcontrol *kctl;
+ 
+       /* Make sure that the ids assigned to the control do not wrap around */
+       if (card->last_numid >= UINT_MAX - count)
+               card->last_numid = 0;
+
+        list_for_each_entry(kctl, &card->controls, list) {
+                if (kctl->id.numid < card->last_numid + 1 + count &&
+                    kctl->id.numid + kctl->count > card->last_numid + 1) {
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch new file mode 100644 index 0000000..2065780 --- /dev/null +++ b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch
@@ -0,0 +1,46 @@
	1	From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001
	2	From: Lars-Peter Clausen <lars@metafoo.de>
	3	Date: Wed, 18 Jun 2014 13:32:34 +0200
	4	Subject: [PATCH] ALSA: control: Handle numid overflow
	5
	6	commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.
	7
	8	Each control gets automatically assigned its numids when the control is created.
	9	The allocation is done by incrementing the numid by the amount of allocated
	10	numids per allocation. This means that excessive creation and destruction of
	11	controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
	12	eventually overflow. Currently when this happens for the control that caused the
	13	overflow kctl->id.numid + kctl->count will also over flow causing it to be
	14	smaller than kctl->id.numid. Most of the code assumes that this is something
	15	that can not happen, so we need to make sure that it won't happen
	16
	17	Fixes CVE-2014-4656
	18	Upstream-Status: Backport
	19
	20	Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
	21	Acked-by: Jaroslav Kysela <perex@perex.cz>
	22	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	23	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
	24	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	25	---
	26	sound/core/control.c \| 4 ++++
	27	1 file changed, 4 insertions(+)
	28
	29	diff --git a/sound/core/control.c b/sound/core/control.c
	30	index d4a597f..93215b4 100644
	31	--- a/sound/core/control.c
	32	+++ b/sound/core/control.c
	33	@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
	34	{
	35	struct snd_kcontrol *kctl;
	36
	37	+ /* Make sure that the ids assigned to the control do not wrap around */
	38	+ if (card->last_numid >= UINT_MAX - count)
	39	+ card->last_numid = 0;
	40	+
	41	list_for_each_entry(kctl, &card->controls, list) {
	42	if (kctl->id.numid < card->last_numid + 1 + count &&
	43	kctl->id.numid + kctl->count > card->last_numid + 1) {
	44	--
	45	1.9.1
	46