• D
    ALSA: prevent heap corruption in snd_ctl_new() · 5591bf07
    Dan Rosenberg 提交于
    The snd_ctl_new() function in sound/core/control.c allocates space for a
    snd_kcontrol struct by performing arithmetic operations on a
    user-provided size without checking for integer overflow.  If a user
    provides a large enough size, an overflow will occur, the allocated
    chunk will be too small, and a second user-influenced value will be
    written repeatedly past the bounds of this chunk.  This code is
    reachable by unprivileged users who have permission to open
    a /dev/snd/controlC* device (on many distros, this is group "audio") via
    the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
    Signed-off-by: NDan Rosenberg <drosenberg@vsecurity.com>
    Cc: <stable@kernel.org>
    Signed-off-by: NTakashi Iwai <tiwai@suse.de>
    5591bf07
control.c 38.7 KB