From patchwork Thu May 19 20:21:44 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [CVE-2011-1169,
 Maverick] ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl,
 CVE-2011-1169
From: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
X-Patchwork-Id: 96453
Message-Id: <1305836504-6864-1-git-send-email-herton.krzesinski@canonical.com>
To: kernel-team@lists.ubuntu.com
Date: Thu, 19 May 2011 17:21:44 -0300

From: Dan Rosenberg <drosenberg@vsecurity.com>

CVE-2011-1169

BugLink: http://bugs.launchpad.net/bugs/785331

Released until now with stable versions 2.6.37.5, 2.6.38.1

The user-supplied index into the adapters array needs to be checked, or
an out-of-bounds kernel pointer could be accessed and used, leading to
potentially exploitable memory corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>

---
sound/pci/asihpi/hpioctl.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 7396ac5..7b600f7 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		goto out;
 	}
 
+	if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
+		err = -EINVAL;
+		goto out;
+	}
+
 	pa = &adapters[hm->h.adapter_index];
 	hr->h.size = 0;
 	if (hm->h.object == HPI_OBJ_SUBSYSTEM) {