diff options
Diffstat (limited to 'recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch')
-rw-r--r-- | recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch new file mode 100644 index 0000000..2065780 --- /dev/null +++ b/recipes-kernel/linux/files/0002-ALSA-CVE-2014-4656.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001 | ||
2 | From: Lars-Peter Clausen <lars@metafoo.de> | ||
3 | Date: Wed, 18 Jun 2014 13:32:34 +0200 | ||
4 | Subject: [PATCH] ALSA: control: Handle numid overflow | ||
5 | |||
6 | commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream. | ||
7 | |||
8 | Each control gets automatically assigned its numids when the control is created. | ||
9 | The allocation is done by incrementing the numid by the amount of allocated | ||
10 | numids per allocation. This means that excessive creation and destruction of | ||
11 | controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to | ||
12 | eventually overflow. Currently when this happens for the control that caused the | ||
13 | overflow kctl->id.numid + kctl->count will also over flow causing it to be | ||
14 | smaller than kctl->id.numid. Most of the code assumes that this is something | ||
15 | that can not happen, so we need to make sure that it won't happen | ||
16 | |||
17 | Fixes CVE-2014-4656 | ||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> | ||
21 | Acked-by: Jaroslav Kysela <perex@perex.cz> | ||
22 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||
23 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
24 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
25 | --- | ||
26 | sound/core/control.c | 4 ++++ | ||
27 | 1 file changed, 4 insertions(+) | ||
28 | |||
29 | diff --git a/sound/core/control.c b/sound/core/control.c | ||
30 | index d4a597f..93215b4 100644 | ||
31 | --- a/sound/core/control.c | ||
32 | +++ b/sound/core/control.c | ||
33 | @@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card, | ||
34 | { | ||
35 | struct snd_kcontrol *kctl; | ||
36 | |||
37 | + /* Make sure that the ids assigned to the control do not wrap around */ | ||
38 | + if (card->last_numid >= UINT_MAX - count) | ||
39 | + card->last_numid = 0; | ||
40 | + | ||
41 | list_for_each_entry(kctl, &card->controls, list) { | ||
42 | if (kctl->id.numid < card->last_numid + 1 + count && | ||
43 | kctl->id.numid + kctl->count > card->last_numid + 1) { | ||
44 | -- | ||
45 | 1.9.1 | ||
46 | |||