1 files changed, 47 insertions, 0 deletions
diff --git a/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch b/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch
new file mode 100644
index 00000000..473a408d
--- /dev/null
+++ b/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch
@@ -0,0 +1,47 @@
+From 6540a62434750fe29b877293e54dbf05c0fb54c4 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Sat, 25 Dec 2010 16:23:40 -0500
+Subject: [PATCH 31/65] sound: Prevent buffer overflow in OSS load_mixer_volumes
+The load_mixer_volumes() function, which can be triggered by
+unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
+a buffer overflow.  Because the provided "name" argument isn't
+guaranteed to be NULL terminated at the expected 32 bytes, it's possible
+to overflow past the end of the last element in the mixer_vols array.
+Further exploitation can result in an arbitrary kernel write (via
+subsequent calls to load_mixer_volumes()) leading to privilege
+escalation, or arbitrary kernel reads via get_mixer_levels().  In
+addition, the strcmp() may leak bytes beyond the mixer_vols array.
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/oss/soundcard.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
+index 46c0d03..fcb14a0 100644
+--- a/sound/oss/soundcard.c
+++ b/sound/oss/soundcard.c
+@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+        int             i, n;
+ 
+        for (i = 0; i < num_mixer_volumes; i++) {
+-               if (strcmp(name, mixer_vols[i].name) == 0) {
+               if (strncmp(name, mixer_vols[i].name, 32) == 0) {
+                        if (present)
+                                mixer_vols[i].num = i;
+                        return mixer_vols[i].levels;
+@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
+        }
+        n = num_mixer_volumes++;
+ 
+-       strcpy(mixer_vols[n].name, name);
+       strncpy(mixer_vols[n].name, name, 32);
+ 
+        if (present)
+                mixer_vols[n].num = n;
+-- 
+1.6.6.1

diff --git a/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch b/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch new file mode 100644 index 00000000..473a408d --- /dev/null +++ b/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch
@@ -0,0 +1,47 @@
	1	From 6540a62434750fe29b877293e54dbf05c0fb54c4 Mon Sep 17 00:00:00 2001
	2	From: Dan Rosenberg <drosenberg@vsecurity.com>
	3	Date: Sat, 25 Dec 2010 16:23:40 -0500
	4	Subject: [PATCH 31/65] sound: Prevent buffer overflow in OSS load_mixer_volumes
	5
	6	The load_mixer_volumes() function, which can be triggered by
	7	unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
	8	a buffer overflow. Because the provided "name" argument isn't
	9	guaranteed to be NULL terminated at the expected 32 bytes, it's possible
	10	to overflow past the end of the last element in the mixer_vols array.
	11	Further exploitation can result in an arbitrary kernel write (via
	12	subsequent calls to load_mixer_volumes()) leading to privilege
	13	escalation, or arbitrary kernel reads via get_mixer_levels(). In
	14	addition, the strcmp() may leak bytes beyond the mixer_vols array.
	15
	16	Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
	17	Cc: stable <stable@kernel.org>
	18	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	19	---
	20	sound/oss/soundcard.c \| 4 ++--
	21	1 files changed, 2 insertions(+), 2 deletions(-)
	22
	23	diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
	24	index 46c0d03..fcb14a0 100644
	25	--- a/sound/oss/soundcard.c
	26	+++ b/sound/oss/soundcard.c
	27	@@ -87,7 +87,7 @@ int load_mixer_volumes(char name, int *levels, int present)
	28	int i, n;
	29
	30	for (i = 0; i < num_mixer_volumes; i++) {
	31	- if (strcmp(name, mixer_vols[i].name) == 0) {
	32	+ if (strncmp(name, mixer_vols[i].name, 32) == 0) {
	33	if (present)
	34	mixer_vols[i].num = i;
	35	return mixer_vols[i].levels;
	36	@@ -99,7 +99,7 @@ int load_mixer_volumes(char name, int *levels, int present)
	37	}
	38	n = num_mixer_volumes++;
	39
	40	- strcpy(mixer_vols[n].name, name);
	41	+ strncpy(mixer_vols[n].name, name, 32);
	42
	43	if (present)
	44	mixer_vols[n].num = n;
	45	--
	46	1.6.6.1
	47