| Message ID | 1305836504-6864-1-git-send-email-herton.krzesinski@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 05/19/2011 01:21 PM, Herton Ronaldo Krzesinski wrote: > From: Dan Rosenberg <drosenberg@vsecurity.com> > > CVE-2011-1169 > > BugLink: http://bugs.launchpad.net/bugs/785331 > > Released until now with stable versions 2.6.37.5, 2.6.38.1 > > The user-supplied index into the adapters array needs to be checked, or > an out-of-bounds kernel pointer could be accessed and used, leading to > potentially exploitable memory corruption. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Cc: <stable@kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream) > Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> > --- > sound/pci/asihpi/hpioctl.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c > index 7396ac5..7b600f7 100644 > --- a/sound/pci/asihpi/hpioctl.c > +++ b/sound/pci/asihpi/hpioctl.c > @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > goto out; > } > > + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) { > + err = -EINVAL; > + goto out; > + } > + > pa = &adapters[hm->h.adapter_index]; > hr->h.size = 0; > if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
On Thu, 2011-05-19 at 17:21 -0300, Herton Ronaldo Krzesinski wrote: > From: Dan Rosenberg <drosenberg@vsecurity.com> > > CVE-2011-1169 > > BugLink: http://bugs.launchpad.net/bugs/785331 > > Released until now with stable versions 2.6.37.5, 2.6.38.1 > > The user-supplied index into the adapters array needs to be checked, or > an out-of-bounds kernel pointer could be accessed and used, leading to > potentially exploitable memory corruption. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Cc: <stable@kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream) > Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > sound/pci/asihpi/hpioctl.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c > index 7396ac5..7b600f7 100644 > --- a/sound/pci/asihpi/hpioctl.c > +++ b/sound/pci/asihpi/hpioctl.c > @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > goto out; > } > > + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) { > + err = -EINVAL; > + goto out; > + } > + > pa = &adapters[hm->h.adapter_index]; > hr->h.size = 0; > if (hm->h.object == HPI_OBJ_SUBSYSTEM) { > -- > 1.7.0.4 > >
Applied On Thu, 2011-05-19 at 17:21 -0300, Herton Ronaldo Krzesinski wrote: > From: Dan Rosenberg <drosenberg@vsecurity.com> > > CVE-2011-1169 > > BugLink: http://bugs.launchpad.net/bugs/785331 > > Released until now with stable versions 2.6.37.5, 2.6.38.1 > > The user-supplied index into the adapters array needs to be checked, or > an out-of-bounds kernel pointer could be accessed and used, leading to > potentially exploitable memory corruption. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Cc: <stable@kernel.org> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream) > Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com> > --- > sound/pci/asihpi/hpioctl.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c > index 7396ac5..7b600f7 100644 > --- a/sound/pci/asihpi/hpioctl.c > +++ b/sound/pci/asihpi/hpioctl.c > @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > goto out; > } > > + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) { > + err = -EINVAL; > + goto out; > + } > + > pa = &adapters[hm->h.adapter_index]; > hr->h.size = 0; > if (hm->h.object == HPI_OBJ_SUBSYSTEM) { > -- > 1.7.0.4 > >
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c index 7396ac5..7b600f7 100644 --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) goto out; } + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) { + err = -EINVAL; + goto out; + } + pa = &adapters[hm->h.adapter_index]; hr->h.size = 0; if (hm->h.object == HPI_OBJ_SUBSYSTEM) {