ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl, CVE-2011-1169

05-19-2011, 08:21 PM

From: Dan Rosenberg <drosenberg@vsecurity.com>

CVE-2011-1169

BugLink: http://bugs.launchpad.net/bugs/785331

Released until now with stable versions 2.6.37.5, 2.6.38.1

The user-supplied index into the adapters array needs to be checked, or
an out-of-bounds kernel pointer could be accessed and used, leading to
potentially exploitable memory corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>
---
sound/pci/asihpi/hpioctl.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 7396ac5..7b600f7 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
goto out;
}

+ if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
+ err = -EINVAL;
+ goto out;
+ }
+
pa = &adapters[hm->h.adapter_index];
hr->h.size = 0;
if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
--
1.7.0.4

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

05-19-2011, 08:55 PM

On 05/19/2011 01:21 PM, Herton Ronaldo Krzesinski wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
>
> CVE-2011-1169
>
> BugLink: http://bugs.launchpad.net/bugs/785331
>
> Released until now with stable versions 2.6.37.5, 2.6.38.1
>
> The user-supplied index into the adapters array needs to be checked, or
> an out-of-bounds kernel pointer could be accessed and used, leading to
> potentially exploitable memory corruption.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: <stable@kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
> Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>

Acked-by: John Johansen <john.johansen@canonical.com>

> ---
> sound/pci/asihpi/hpioctl.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 7396ac5..7b600f7 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> goto out;
> }
>
> + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
> + err = -EINVAL;
> + goto out;
> + }
> +
> pa = &adapters[hm->h.adapter_index];
> hr->h.size = 0;
> if (hm->h.object == HPI_OBJ_SUBSYSTEM) {

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

05-19-2011, 09:10 PM

On Thu, 2011-05-19 at 17:21 -0300, Herton Ronaldo Krzesinski wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
>
> CVE-2011-1169
>
> BugLink: http://bugs.launchpad.net/bugs/785331
>
> Released until now with stable versions 2.6.37.5, 2.6.38.1
>
> The user-supplied index into the adapters array needs to be checked, or
> an out-of-bounds kernel pointer could be accessed and used, leading to
> potentially exploitable memory corruption.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: <stable@kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
> Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>
Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>

> ---
> sound/pci/asihpi/hpioctl.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 7396ac5..7b600f7 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> goto out;
> }
>
> + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
> + err = -EINVAL;
> + goto out;
> + }
> +
> pa = &adapters[hm->h.adapter_index];
> hr->h.size = 0;
> if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
> --
> 1.7.0.4
>
>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

05-24-2011, 08:47 PM

Applied

On Thu, 2011-05-19 at 17:21 -0300, Herton Ronaldo Krzesinski wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
>
> CVE-2011-1169
>
> BugLink: http://bugs.launchpad.net/bugs/785331
>
> Released until now with stable versions 2.6.37.5, 2.6.38.1
>
> The user-supplied index into the adapters array needs to be checked, or
> an out-of-bounds kernel pointer could be accessed and used, leading to
> potentially exploitable memory corruption.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: <stable@kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> (backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
> Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>
> ---
> sound/pci/asihpi/hpioctl.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index 7396ac5..7b600f7 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> goto out;
> }
>
> + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
> + err = -EINVAL;
> + goto out;
> + }
> +
> pa = &adapters[hm->h.adapter_index];
> hr->h.size = 0;
> if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
> --
> 1.7.0.4
>
>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team