From patchwork Thu Feb 2 10:17:14 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 139105 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 72E1F104798 for ; Thu, 2 Feb 2012 21:17:23 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RstjB-0000W2-CJ; Thu, 02 Feb 2012 10:17:17 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1Rstj9-0000Vo-Pn for kernel-team@lists.ubuntu.com; Thu, 02 Feb 2012 10:17:15 +0000 Received: from [85.210.149.110] (helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1Rstj9-0001do-Lk; Thu, 02 Feb 2012 10:17:15 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [hardy, maverick/ti-omap4 CVE 1/1] sound/oss/opl3: validate voice and channel indexes Date: Thu, 2 Feb 2012 10:17:14 +0000 Message-Id: <1328177834-10379-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.8.3 In-Reply-To: <1328177834-10379-1-git-send-email-apw@canonical.com> References: <1328177834-10379-1-git-send-email-apw@canonical.com> Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Dan Rosenberg User-controllable indexes for voice and channel values may cause reading and writing beyond the bounds of their respective arrays, leading to potentially exploitable memory corruption. Validate these indexes. Signed-off-by: Dan Rosenberg Cc: stable@kernel.org Signed-off-by: Takashi Iwai (cherry picked from commit 4d00135a680727f6c3be78f8befaac009030e4df) CVE-2011-1477 BugLink: http://bugs.launchpad.net/bugs/925335 Signed-off-by: Andy Whitcroft Acked-by: Stefan Bader --- sound/oss/opl3.c | 15 +++++++++++++-- 1 files changed, 13 insertions(+), 2 deletions(-) diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c index 7781c13..c828a34 100644 --- a/sound/oss/opl3.c +++ b/sound/oss/opl3.c @@ -848,6 +848,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr, static void opl3_panning(int dev, int voice, int value) { + + if (voice < 0 || voice >= devc->nr_voice) + return; + devc->voc[voice].panning = value; } @@ -1065,8 +1069,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info static void opl3_setup_voice(int dev, int voice, int chn) { - struct channel_info *info = - &synth_devs[dev]->chn_info[chn]; + struct channel_info *info; + + if (voice < 0 || voice >= devc->nr_voice) + return; + + if (chn < 0 || chn > 15) + return; + + info = &synth_devs[dev]->chn_info[chn]; opl3_set_instr(dev, voice, info->pgm_num);