| Message ID | 1328177834-10379-2-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 02.02.2012 11:17, Andy Whitcroft wrote: > From: Dan Rosenberg <drosenberg@vsecurity.com> > > User-controllable indexes for voice and channel values may cause reading > and writing beyond the bounds of their respective arrays, leading to > potentially exploitable memory corruption. Validate these indexes. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Cc: stable@kernel.org > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > (cherry picked from commit 4d00135a680727f6c3be78f8befaac009030e4df) > CVE-2011-1477 > BugLink: http://bugs.launchpad.net/bugs/925335 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > sound/oss/opl3.c | 15 +++++++++++++-- > 1 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c > index 7781c13..c828a34 100644 > --- a/sound/oss/opl3.c > +++ b/sound/oss/opl3.c > @@ -848,6 +848,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr, > > static void opl3_panning(int dev, int voice, int value) > { > + > + if (voice < 0 || voice >= devc->nr_voice) > + return; > + > devc->voc[voice].panning = value; > } > > @@ -1065,8 +1069,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info > > static void opl3_setup_voice(int dev, int voice, int chn) > { > - struct channel_info *info = > - &synth_devs[dev]->chn_info[chn]; > + struct channel_info *info; > + > + if (voice < 0 || voice >= devc->nr_voice) > + return; > + > + if (chn < 0 || chn > 15) > + return; > + > + info = &synth_devs[dev]->chn_info[chn]; > > opl3_set_instr(dev, voice, info->pgm_num); > Looks ok Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Thu, Feb 02, 2012 at 10:17:14AM +0000, Andy Whitcroft wrote: > From: Dan Rosenberg <drosenberg@vsecurity.com> > > User-controllable indexes for voice and channel values may cause reading > and writing beyond the bounds of their respective arrays, leading to > potentially exploitable memory corruption. Validate these indexes. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Cc: stable@kernel.org > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > (cherry picked from commit 4d00135a680727f6c3be78f8befaac009030e4df) > CVE-2011-1477 > BugLink: http://bugs.launchpad.net/bugs/925335 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > sound/oss/opl3.c | 15 +++++++++++++-- > 1 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c > index 7781c13..c828a34 100644 > --- a/sound/oss/opl3.c > +++ b/sound/oss/opl3.c > @@ -848,6 +848,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr, > > static void opl3_panning(int dev, int voice, int value) > { > + > + if (voice < 0 || voice >= devc->nr_voice) > + return; > + > devc->voc[voice].panning = value; > } > > @@ -1065,8 +1069,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info > > static void opl3_setup_voice(int dev, int voice, int chn) > { > - struct channel_info *info = > - &synth_devs[dev]->chn_info[chn]; > + struct channel_info *info; > + > + if (voice < 0 || voice >= devc->nr_voice) > + return; > + > + if (chn < 0 || chn > 15) > + return; > + > + info = &synth_devs[dev]->chn_info[chn]; > > opl3_set_instr(dev, voice, info->pgm_num); > > -- > 1.7.8.3 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c index 7781c13..c828a34 100644 --- a/sound/oss/opl3.c +++ b/sound/oss/opl3.c @@ -848,6 +848,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr, static void opl3_panning(int dev, int voice, int value) { + + if (voice < 0 || voice >= devc->nr_voice) + return; + devc->voc[voice].panning = value; } @@ -1065,8 +1069,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info static void opl3_setup_voice(int dev, int voice, int chn) { - struct channel_info *info = - &synth_devs[dev]->chn_info[chn]; + struct channel_info *info; + + if (voice < 0 || voice >= devc->nr_voice) + return; + + if (chn < 0 || chn > 15) + return; + + info = &synth_devs[dev]->chn_info[chn]; opl3_set_instr(dev, voice, info->pgm_num);