[alsa-devel] [PATCH] ALSA: control: Make sure that id->index does not overflow in function snd_ctl_replace
Xiao Yang
YangX92 at hotmail.com
Fri Aug 31 13:00:02 CEST 2018
From: Young_X <YangX92 at hotmail.com>
The ALSA control code expects that the range of assigned indices to a
control is continuous and does not overflow. Currently there are no
checks to enforce this.
If a control with a overflowing index range is created that control
becomes effectively inaccessible and unremovable since
snd_ctl_find_id() will not be able to find it. This patch adds a check
that makes sure that controls with a overflowing index range can not
be created.
(same issue as CVE-2014-4656)
Signed-off-by: Young_X <YangX92 at hotmail.com>
---
sound/core/control.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/core/control.c b/sound/core/control.c
index 9aa15bf..6435772 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -441,6 +441,11 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
goto error;
}
id = kcontrol->id;
+ if (id.index > UINT_MAX - kcontrol->count) {
+ ret = -EINVAL;
+ goto error;
+ }
+
down_write(&card->controls_rwsem);
old = snd_ctl_find_id(card, &id);
if (!old) {
--
2.7.4
More information about the Alsa-devel
mailing list