From: Young_X YangX92@hotmail.com
The ALSA control code expects that the range of assigned indices to a control is continuous and does not overflow. Currently there are no checks to enforce this. If a control with a overflowing index range is created that control becomes effectively inaccessible and unremovable since snd_ctl_find_id() will not be able to find it. This patch adds a check that makes sure that controls with a overflowing index range can not be created. (same issue as CVE-2014-4656)
Signed-off-by: Young_X YangX92@hotmail.com --- sound/core/control.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/sound/core/control.c b/sound/core/control.c index 9aa15bf..6435772 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -441,6 +441,11 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol, goto error; } id = kcontrol->id; + if (id.index > UINT_MAX - kcontrol->count) { + ret = -EINVAL; + goto error; + } + down_write(&card->controls_rwsem); old = snd_ctl_find_id(card, &id); if (!old) {