Patchwork [CVE-2011-1169,Maverick] ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl, CVE-2011-1169

login
register
mail settings
Submitter Herton Ronaldo Krzesinski
Date May 19, 2011, 8:21 p.m.
Message ID <1305836504-6864-1-git-send-email-herton.krzesinski@canonical.com>
Download mbox | patch
Permalink /patch/96453/
State New
Headers show

Comments

Herton Ronaldo Krzesinski - May 19, 2011, 8:21 p.m.
From: Dan Rosenberg <drosenberg@vsecurity.com>

CVE-2011-1169

BugLink: http://bugs.launchpad.net/bugs/785331

Released until now with stable versions 2.6.37.5, 2.6.38.1

The user-supplied index into the adapters array needs to be checked, or
an out-of-bounds kernel pointer could be accessed and used, leading to
potentially exploitable memory corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>
---
 sound/pci/asihpi/hpioctl.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)
John Johansen - May 19, 2011, 8:55 p.m.
On 05/19/2011 01:21 PM, Herton Ronaldo Krzesinski wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> CVE-2011-1169
> 
> BugLink: http://bugs.launchpad.net/bugs/785331
> 
> Released until now with stable versions 2.6.37.5, 2.6.38.1
> 
> The user-supplied index into the adapters array needs to be checked, or
> an out-of-bounds kernel pointer could be accessed and used, leading to
> potentially exploitable memory corruption.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: <stable@kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
> Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>

Acked-by: John Johansen <john.johansen@canonical.com>


> ---
>  sound/pci/asihpi/hpioctl.c |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 7396ac5..7b600f7 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  		goto out;
>  	}
>  
> +	if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
> +		err = -EINVAL;
> +		goto out;
> +	}
> +
>  	pa = &adapters[hm->h.adapter_index];
>  	hr->h.size = 0;
>  	if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
Leann Ogasawara - May 19, 2011, 9:10 p.m.
On Thu, 2011-05-19 at 17:21 -0300, Herton Ronaldo Krzesinski wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> CVE-2011-1169
> 
> BugLink: http://bugs.launchpad.net/bugs/785331
> 
> Released until now with stable versions 2.6.37.5, 2.6.38.1
> 
> The user-supplied index into the adapters array needs to be checked, or
> an out-of-bounds kernel pointer could be accessed and used, leading to
> potentially exploitable memory corruption.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: <stable@kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
> Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>
Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>

> ---
>  sound/pci/asihpi/hpioctl.c |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 7396ac5..7b600f7 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  		goto out;
>  	}
>  
> +	if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
> +		err = -EINVAL;
> +		goto out;
> +	}
> +
>  	pa = &adapters[hm->h.adapter_index];
>  	hr->h.size = 0;
>  	if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
> -- 
> 1.7.0.4
> 
>
Steve Conklin - May 24, 2011, 8:47 p.m.
Applied

On Thu, 2011-05-19 at 17:21 -0300, Herton Ronaldo Krzesinski wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> CVE-2011-1169
> 
> BugLink: http://bugs.launchpad.net/bugs/785331
> 
> Released until now with stable versions 2.6.37.5, 2.6.38.1
> 
> The user-supplied index into the adapters array needs to be checked, or
> an out-of-bounds kernel pointer could be accessed and used, leading to
> potentially exploitable memory corruption.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: <stable@kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
> Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>
> ---
>  sound/pci/asihpi/hpioctl.c |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 7396ac5..7b600f7 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  		goto out;
>  	}
>  
> +	if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
> +		err = -EINVAL;
> +		goto out;
> +	}
> +
>  	pa = &adapters[hm->h.adapter_index];
>  	hr->h.size = 0;
>  	if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
> -- 
> 1.7.0.4
> 
>

Patch

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 7396ac5..7b600f7 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -146,6 +146,11 @@  long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		goto out;
 	}
 
+	if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
+		err = -EINVAL;
+		goto out;
+	}
+
 	pa = &adapters[hm->h.adapter_index];
 	hr->h.size = 0;
 	if (hm->h.object == HPI_OBJ_SUBSYSTEM) {