diff options
Diffstat (limited to 'extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch')
-rw-r--r-- | extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch b/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch new file mode 100644 index 00000000..473a408d --- /dev/null +++ b/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 6540a62434750fe29b877293e54dbf05c0fb54c4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Dan Rosenberg <drosenberg@vsecurity.com> | ||
3 | Date: Sat, 25 Dec 2010 16:23:40 -0500 | ||
4 | Subject: [PATCH 31/65] sound: Prevent buffer overflow in OSS load_mixer_volumes | ||
5 | |||
6 | The load_mixer_volumes() function, which can be triggered by | ||
7 | unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to | ||
8 | a buffer overflow. Because the provided "name" argument isn't | ||
9 | guaranteed to be NULL terminated at the expected 32 bytes, it's possible | ||
10 | to overflow past the end of the last element in the mixer_vols array. | ||
11 | Further exploitation can result in an arbitrary kernel write (via | ||
12 | subsequent calls to load_mixer_volumes()) leading to privilege | ||
13 | escalation, or arbitrary kernel reads via get_mixer_levels(). In | ||
14 | addition, the strcmp() may leak bytes beyond the mixer_vols array. | ||
15 | |||
16 | Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> | ||
17 | Cc: stable <stable@kernel.org> | ||
18 | Signed-off-by: Takashi Iwai <tiwai@suse.de> | ||
19 | --- | ||
20 | sound/oss/soundcard.c | 4 ++-- | ||
21 | 1 files changed, 2 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c | ||
24 | index 46c0d03..fcb14a0 100644 | ||
25 | --- a/sound/oss/soundcard.c | ||
26 | +++ b/sound/oss/soundcard.c | ||
27 | @@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present) | ||
28 | int i, n; | ||
29 | |||
30 | for (i = 0; i < num_mixer_volumes; i++) { | ||
31 | - if (strcmp(name, mixer_vols[i].name) == 0) { | ||
32 | + if (strncmp(name, mixer_vols[i].name, 32) == 0) { | ||
33 | if (present) | ||
34 | mixer_vols[i].num = i; | ||
35 | return mixer_vols[i].levels; | ||
36 | @@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present) | ||
37 | } | ||
38 | n = num_mixer_volumes++; | ||
39 | |||
40 | - strcpy(mixer_vols[n].name, name); | ||
41 | + strncpy(mixer_vols[n].name, name, 32); | ||
42 | |||
43 | if (present) | ||
44 | mixer_vols[n].num = n; | ||
45 | -- | ||
46 | 1.6.6.1 | ||
47 | |||