Ack: Re: [hardy, maverick/ti-omap4 CVE 1/1] sound/oss/opl3: validate voice and channel indexes
Herton Ronaldo Krzesinski
herton.krzesinski at canonical.com
Thu Feb 2 11:51:55 UTC 2012
On Thu, Feb 02, 2012 at 10:17:14AM +0000, Andy Whitcroft wrote:
> From: Dan Rosenberg <drosenberg at vsecurity.com>
>
> User-controllable indexes for voice and channel values may cause reading
> and writing beyond the bounds of their respective arrays, leading to
> potentially exploitable memory corruption. Validate these indexes.
>
> Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
> Cc: stable at kernel.org
> Signed-off-by: Takashi Iwai <tiwai at suse.de>
>
> (cherry picked from commit 4d00135a680727f6c3be78f8befaac009030e4df)
> CVE-2011-1477
> BugLink: http://bugs.launchpad.net/bugs/925335
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
> sound/oss/opl3.c | 15 +++++++++++++--
> 1 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/sound/oss/opl3.c b/sound/oss/opl3.c
> index 7781c13..c828a34 100644
> --- a/sound/oss/opl3.c
> +++ b/sound/oss/opl3.c
> @@ -848,6 +848,10 @@ static int opl3_load_patch(int dev, int format, const char __user *addr,
>
> static void opl3_panning(int dev, int voice, int value)
> {
> +
> + if (voice < 0 || voice >= devc->nr_voice)
> + return;
> +
> devc->voc[voice].panning = value;
> }
>
> @@ -1065,8 +1069,15 @@ static int opl3_alloc_voice(int dev, int chn, int note, struct voice_alloc_info
>
> static void opl3_setup_voice(int dev, int voice, int chn)
> {
> - struct channel_info *info =
> - &synth_devs[dev]->chn_info[chn];
> + struct channel_info *info;
> +
> + if (voice < 0 || voice >= devc->nr_voice)
> + return;
> +
> + if (chn < 0 || chn > 15)
> + return;
> +
> + info = &synth_devs[dev]->chn_info[chn];
>
> opl3_set_instr(dev, voice, info->pgm_num);
>
> --
> 1.7.8.3
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
More information about the kernel-team
mailing list