[CVE-2011-1169][Maverick][PATCH] ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl, CVE-2011-1169

[Herton Ronaldo Krzesinski]

From: Dan Rosenberg <drosenberg at vsecurity.com>

CVE-2011-1169

BugLink: http://bugs.launchpad.net/bugs/785331

Released until now with stable versions 2.6.37.5, 2.6.38.1

The user-supplied index into the adapters array needs to be checked, or
an out-of-bounds kernel pointer could be accessed and used, leading to
potentially exploitable memory corruption.

Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
Cc: <stable at kernel.org>
Signed-off-by: Takashi Iwai <tiwai at suse.de>
(backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
Signed-off-by: Herton Krzesinski <herton.krzesinski at canonical.com>
---
 sound/pci/asihpi/hpioctl.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 7396ac5..7b600f7 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		goto out;
 	}
 
+	if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
+		err = -EINVAL;
+		goto out;
+	}
+
 	pa = &adapters[hm->h.adapter_index];
 	hr->h.size = 0;
 	if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
-- 
1.7.0.4