[glsdk/meta-ti-glsdk.git] / recipes-bsp / linux / linux-omap / linus / 0031-sound-Prevent-buffer-overflow-in-OSS-load_mixer_volu.patch
1 From 6540a62434750fe29b877293e54dbf05c0fb54c4 Mon Sep 17 00:00:00 2001
2 From: Dan Rosenberg <drosenberg@vsecurity.com>
3 Date: Sat, 25 Dec 2010 16:23:40 -0500
4 Subject: [PATCH 31/65] sound: Prevent buffer overflow in OSS load_mixer_volumes
6 The load_mixer_volumes() function, which can be triggered by
7 unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
8 a buffer overflow. Because the provided "name" argument isn't
9 guaranteed to be NULL terminated at the expected 32 bytes, it's possible
10 to overflow past the end of the last element in the mixer_vols array.
11 Further exploitation can result in an arbitrary kernel write (via
12 subsequent calls to load_mixer_volumes()) leading to privilege
13 escalation, or arbitrary kernel reads via get_mixer_levels(). In
14 addition, the strcmp() may leak bytes beyond the mixer_vols array.
16 Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
17 Cc: stable <stable@kernel.org>
18 Signed-off-by: Takashi Iwai <tiwai@suse.de>
19 ---
20 sound/oss/soundcard.c | 4 ++--
21 1 files changed, 2 insertions(+), 2 deletions(-)
23 diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
24 index 46c0d03..fcb14a0 100644
25 --- a/sound/oss/soundcard.c
26 +++ b/sound/oss/soundcard.c
27 @@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
28 int i, n;
30 for (i = 0; i < num_mixer_volumes; i++) {
31 - if (strcmp(name, mixer_vols[i].name) == 0) {
32 + if (strncmp(name, mixer_vols[i].name, 32) == 0) {
33 if (present)
34 mixer_vols[i].num = i;
35 return mixer_vols[i].levels;
36 @@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
37 }
38 n = num_mixer_volumes++;
40 - strcpy(mixer_vols[n].name, name);
41 + strncpy(mixer_vols[n].name, name, 32);
43 if (present)
44 mixer_vols[n].num = n;
45 --
46 1.6.6.1