releases/2.6.15.5/fix-snd-usb-audio-in-32-bit-compat-environment.patch

   1 From stable-bounces@linux.kernel.org  Mon Feb 20 18:32:46 2006
   2 Date: Mon, 20 Feb 2006 18:28:00 -0800
   3 From: akpm@osdl.org
   4 To: torvalds@osdl.org
   5 Cc: tiwai@suse.de, greg@kroah.com, jk@blackdown.de, stable@kernel.org, perex@suse.cz
   6 Subject: [PATCH] Fix snd-usb-audio in 32-bit compat environment
   7
   8 From: Juergen Kreileder <jk@blackdown.de>
   9
  10 I'm getting oopses with snd-usb-audio in 32-bit compat environments:
  11 control_compat.c:get_ctl_type() doesn't initialize 'info', so
  12 'itemlist[uinfo->value.enumerated.item]' in
  13 usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if
  14 ((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems
  15 because of the unsigned -> signed conversion.)
  16
  17 Signed-off-by: Juergen Kreileder <jk@blackdown.de>
  18 Cc: Jaroslav Kysela <perex@suse.cz>
  19 Acked-by: Takashi Iwai <tiwai@suse.de>
  20 Signed-off-by: Andrew Morton <akpm@osdl.org>
  21 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  22 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  23 ---
  24
  25  sound/core/control_compat.c |   16 +++++++++++-----
  26  1 files changed, 11 insertions(+), 5 deletions(-)
  27
  28 --- linux-2.6.15.4.orig/sound/core/control_compat.c
  29 +++ linux-2.6.15.4/sound/core/control_compat.c
  30 @@ -164,7 +164,7 @@ struct sndrv_ctl_elem_value32 {
  31  static int get_ctl_type(snd_card_t *card, snd_ctl_elem_id_t *id, int *countp)
  32  {
  33         snd_kcontrol_t *kctl;
  34 -       snd_ctl_elem_info_t info;
  35 +       snd_ctl_elem_info_t *info;
  36         int err;
  37
  38         down_read(&card->controls_rwsem);
  39 @@ -173,13 +173,19 @@ static int get_ctl_type(snd_card_t *card
  40                 up_read(&card->controls_rwsem);
  41                 return -ENXIO;
  42         }
  43 -       info.id = *id;
  44 -       err = kctl->info(kctl, &info);
  45 +       info = kzalloc(sizeof(*info), GFP_KERNEL);
  46 +       if (info == NULL) {
  47 +               up_read(&card->controls_rwsem);
  48 +               return -ENOMEM;
  49 +       }
  50 +       info->id = *id;
  51 +       err = kctl->info(kctl, info);
  52         up_read(&card->controls_rwsem);
  53         if (err >= 0) {
  54 -               err = info.type;
  55 -               *countp = info.count;
  56 +               err = info->type;
  57 +               *countp = info->count;
  58         }
  59 +       kfree(info);
  60         return err;
  61  }
  62