diff options
Diffstat (limited to 'extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch')
| -rw-r--r-- | extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch b/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch new file mode 100644 index 00000000..473a408d --- /dev/null +++ b/extras/recipes-kernel/linux/linux-omap/linus/0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch @@ -0,0 +1,47 @@ +From 6540a62434750fe29b877293e54dbf05c0fb54c4 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Sat, 25 Dec 2010 16:23:40 -0500 +Subject: [PATCH 31/65] sound: Prevent buffer overflow in OSS load_mixer_volumes + +The load_mixer_volumes() function, which can be triggered by +unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to +a buffer overflow. Because the provided "name" argument isn't +guaranteed to be NULL terminated at the expected 32 bytes, it's possible +to overflow past the end of the last element in the mixer_vols array. +Further exploitation can result in an arbitrary kernel write (via +subsequent calls to load_mixer_volumes()) leading to privilege +escalation, or arbitrary kernel reads via get_mixer_levels(). In +addition, the strcmp() may leak bytes beyond the mixer_vols array. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Cc: stable <stable@kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +--- + sound/oss/soundcard.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c +index 46c0d03..fcb14a0 100644 +--- a/sound/oss/soundcard.c ++++ b/sound/oss/soundcard.c +@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present) + int i, n; + + for (i = 0; i < num_mixer_volumes; i++) { +- if (strcmp(name, mixer_vols[i].name) == 0) { ++ if (strncmp(name, mixer_vols[i].name, 32) == 0) { + if (present) + mixer_vols[i].num = i; + return mixer_vols[i].levels; +@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present) + } + n = num_mixer_volumes++; + +- strcpy(mixer_vols[n].name, name); ++ strncpy(mixer_vols[n].name, name, 32); + + if (present) + mixer_vols[n].num = n; +-- +1.6.6.1 + |