[alsa-devel] [PATCH] ALSA: control: Make sure that id->index does not overflow in function snd_ctl_replace

[Xiao Yang]

From: Young_X <YangX92 at hotmail.com>

    The ALSA control code expects that the range of assigned indices to a 
    control is continuous and does not overflow. Currently there are no 
    checks to enforce this.
    If a control with a overflowing index range is created that control 
    becomes effectively inaccessible and unremovable since 
    snd_ctl_find_id() will not be able to find it. This patch adds a check 
    that makes sure that controls with a overflowing index range can not 
    be created.
    (same issue as CVE-2014-4656)

Signed-off-by: Young_X <YangX92 at hotmail.com>
---
 sound/core/control.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sound/core/control.c b/sound/core/control.c
index 9aa15bf..6435772 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -441,6 +441,11 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
 		goto error;
 	}
 	id = kcontrol->id;
+	if (id.index > UINT_MAX - kcontrol->count) {
+		ret = -EINVAL;
+		goto error;
+	}
+
 	down_write(&card->controls_rwsem);
 	old = snd_ctl_find_id(card, &id);
 	if (!old) {
-- 
2.7.4