Patchwork [hardy,maverick/ti-omap4,CVE,1/1] sound/oss/opl3: validate voice and channel indexes

login
register
mail settings
Submitter Andy Whitcroft
Date Feb. 2, 2012, 10:17 a.m.
Message ID <1328177834-10379-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/139105/
State New
Headers show

Comments

Andy Whitcroft - Feb. 2, 2012, 10:17 a.m.
From: Dan Rosenberg <drosenberg@vsecurity.com>

User-controllable indexes for voice and channel values may cause reading
and writing beyond the bounds of their respective arrays, leading to
potentially exploitable memory corruption.  Validate these indexes.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>

(cherry picked from commit 4d00135a680727f6c3be78f8befaac009030e4df)
CVE-2011-1477
BugLink: http://bugs.launchpad.net/bugs/925335
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 sound/oss/opl3.c |   15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)
Stefan Bader - Feb. 2, 2012, 10:33 a.m.
On 02.02.2012 11:17, Andy Whitcroft wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> User-controllable indexes for voice and channel values may cause reading
> and writing beyond the bounds of their respective arrays, leading to
> potentially exploitable memory corruption.  Validate these indexes.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable@kernel.org
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> 
> (cherry picked from commit 4d00135a680727f6c3be78f8befaac009030e4df)
> CVE-2011-1477
> BugLink: http://bugs.launchpad.net/bugs/925335
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  sound/oss/opl3.c |   15 +++++++++++++--
>  1 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
> index 7781c13..c828a34 100644
> --- a/sound/oss/opl3.c
> +++ b/sound/oss/opl3.c
> @@ -848,6 +848,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr,
>  
>  static void opl3_panning(int dev, int voice, int value)
>  {
> +
> +	if (voice < 0 || voice >= devc->nr_voice)
> +		return;
> +
>  	devc->voc[voice].panning = value;
>  }
>  
> @@ -1065,8 +1069,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info
>  
>  static void opl3_setup_voice(int dev, int voice, int chn)
>  {
> -	struct channel_info *info =
> -	&synth_devs[dev]->chn_info[chn];
> +	struct channel_info *info;
> +
> +	if (voice < 0 || voice >= devc->nr_voice)
> +		return;
> +
> +	if (chn < 0 || chn > 15)
> +		return;
> +
> +	info = &synth_devs[dev]->chn_info[chn];
>  
>  	opl3_set_instr(dev, voice, info->pgm_num);
>  
Looks ok

Acked-by: Stefan Bader <stefan.bader@canonical.com>
Herton Ronaldo Krzesinski - Feb. 2, 2012, 11:51 a.m.
On Thu, Feb 02, 2012 at 10:17:14AM +0000, Andy Whitcroft wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> User-controllable indexes for voice and channel values may cause reading
> and writing beyond the bounds of their respective arrays, leading to
> potentially exploitable memory corruption.  Validate these indexes.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable@kernel.org
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> 
> (cherry picked from commit 4d00135a680727f6c3be78f8befaac009030e4df)
> CVE-2011-1477
> BugLink: http://bugs.launchpad.net/bugs/925335
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  sound/oss/opl3.c |   15 +++++++++++++--
>  1 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
> index 7781c13..c828a34 100644
> --- a/sound/oss/opl3.c
> +++ b/sound/oss/opl3.c
> @@ -848,6 +848,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr,
>  
>  static void opl3_panning(int dev, int voice, int value)
>  {
> +
> +	if (voice < 0 || voice >= devc->nr_voice)
> +		return;
> +
>  	devc->voc[voice].panning = value;
>  }
>  
> @@ -1065,8 +1069,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info
>  
>  static void opl3_setup_voice(int dev, int voice, int chn)
>  {
> -	struct channel_info *info =
> -	&synth_devs[dev]->chn_info[chn];
> +	struct channel_info *info;
> +
> +	if (voice < 0 || voice >= devc->nr_voice)
> +		return;
> +
> +	if (chn < 0 || chn > 15)
> +		return;
> +
> +	info = &synth_devs[dev]->chn_info[chn];
>  
>  	opl3_set_instr(dev, voice, info->pgm_num);
>  
> -- 
> 1.7.8.3
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

Patch

diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
index 7781c13..c828a34 100644
--- a/sound/oss/opl3.c
+++ b/sound/oss/opl3.c
@@ -848,6 +848,10 @@  static int opl3_load_patch(int dev, int format, const char __user *addr,
 
 static void opl3_panning(int dev, int voice, int value)
 {
+
+	if (voice < 0 || voice >= devc->nr_voice)
+		return;
+
 	devc->voc[voice].panning = value;
 }
 
@@ -1065,8 +1069,15 @@  static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info
 
 static void opl3_setup_voice(int dev, int voice, int chn)
 {
-	struct channel_info *info =
-	&synth_devs[dev]->chn_info[chn];
+	struct channel_info *info;
+
+	if (voice < 0 || voice >= devc->nr_voice)
+		return;
+
+	if (chn < 0 || chn > 15)
+		return;
+
+	info = &synth_devs[dev]->chn_info[chn];
 
 	opl3_set_instr(dev, voice, info->pgm_num);