From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 16 Aug 2018 10:08:01 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.119~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=68f5a892e779c7317933f053237c21b98acd7593;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch
---

diff --git a/queue-3.18/alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch b/queue-3.18/alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch
new file mode 100644
index 00000000000..ad8bc362c2e
--- /dev/null
+++ b/queue-3.18/alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch
@@ -0,0 +1,48 @@
+From erickreyes@google.com  Thu Aug 16 12:07:22 2018
+From: Erick Reyes <erickreyes@google.com>
+Date: Wed, 15 Aug 2018 17:55:48 -0700
+Subject: ALSA: info: Check for integer overflow in snd_info_entry_write()
+To: stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>, kernel-team@android.com, Vinod Koul <vkoul@kernel.org>, Joe Perches <joe@perches.com>, Al Viro <viro@zeniv.linux.org.uk>, alsa-devel@alsa-project.org, Erick Reyes <erickreyes@google.com>, Siqi Lin <siqilin@google.com>
+Message-ID: <20180816005548.151269-1-erickreyes@google.com>
+
+From: Erick Reyes <erickreyes@google.com>
+
+Commit 4adb7bcbcb69 ("ALSA: core: Use seq_file for text proc file
+reads") heavily refactored ALSA procfs and fixed the overflow as
+a side-effect, so this fix only applies to kernels < 4.2 and
+there is no upstream equivalent
+
+snd_info_entry_write() resizes the buffer with an unsigned long
+size argument that gets truncated because resize_info_buffer()
+takes the size parameter as an unsigned int. On 64-bit kernels,
+this causes the following copy_to_user() to write out-of-bounds
+if (pos + count) can't be represented by an unsigned int.
+
+Signed-off-by: Siqi Lin <siqilin@google.com>
+Signed-off-by: Erick Reyes <erickreyes@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/info.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/core/info.c
++++ b/sound/core/info.c
+@@ -253,6 +253,7 @@ static ssize_t snd_info_entry_write(stru
+ 	struct snd_info_buffer *buf;
+ 	ssize_t size = 0;
+ 	loff_t pos;
++	unsigned long realloc_size;
+ 
+ 	data = file->private_data;
+ 	if (snd_BUG_ON(!data))
+@@ -261,7 +262,8 @@ static ssize_t snd_info_entry_write(stru
+ 	pos = *offset;
+ 	if (pos < 0 || (long) pos != pos || (ssize_t) count < 0)
+ 		return -EIO;
+-	if ((unsigned long) pos + (unsigned long) count < (unsigned long) pos)
++	realloc_size = (unsigned long) pos + (unsigned long) count;
++	if (realloc_size < (unsigned long) pos || realloc_size > UINT_MAX)
+ 		return -EIO;
+ 	switch (entry->content) {
+ 	case SNDRV_INFO_CONTENT_TEXT:
diff --git a/queue-3.18/series b/queue-3.18/series
index c9c01284993..db629cfad41 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -4,3 +4,4 @@ fix-mntput-mntput-race.patch
 fix-__legitimize_mnt-mntput-race.patch
 arm-dts-imx6sx-fix-irq-for-pcie-bridge.patch
 kprobes-x86-fix-p-uses-in-error-messages.patch
+alsa-info-check-for-integer-overflow-in-snd_info_entry_write.patch