From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 19 Oct 2010 21:04:21 +0000 (-0700)
Subject: .27 patches
X-Git-Tag: v2.6.27.55~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ffd33f9a6e47a1f91ef9f7d5776c2667fc69a441;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/alsa-prevent-heap-corruption-in-snd_ctl_new.patch b/queue-2.6.27/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
new file mode 100644
index 00000000000..587c8a4299f
--- /dev/null
+++ b/queue-2.6.27/alsa-prevent-heap-corruption-in-snd_ctl_new.patch
@@ -0,0 +1,46 @@
+From 5591bf07225523600450edd9e6ad258bb877b779 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Tue, 28 Sep 2010 14:18:20 -0400
+Subject: ALSA: prevent heap corruption in snd_ctl_new()
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 5591bf07225523600450edd9e6ad258bb877b779 upstream.
+
+The snd_ctl_new() function in sound/core/control.c allocates space for a
+snd_kcontrol struct by performing arithmetic operations on a
+user-provided size without checking for integer overflow.  If a user
+provides a large enough size, an overflow will occur, the allocated
+chunk will be too small, and a second user-influenced value will be
+written repeatedly past the bounds of this chunk.  This code is
+reachable by unprivileged users who have permission to open
+a /dev/snd/controlC* device (on many distros, this is group "audio") via
+the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/core/control.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -31,6 +31,7 @@
+ 
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS	32
++#define MAX_CONTROL_COUNT	1028
+ 
+ struct snd_kctl_ioctl {
+ 	struct list_head list;		/* list of all ioctls */
+@@ -190,6 +191,8 @@ static struct snd_kcontrol *snd_ctl_new(
+ 	
+ 	snd_assert(control != NULL, return NULL);
+ 	snd_assert(control->count > 0, return NULL);
++	if (control->count > MAX_CONTROL_COUNT)
++		return NULL;
+ 	kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ 	if (kctl == NULL) {
+ 		snd_printk(KERN_ERR "Cannot allocate control instance\n");
diff --git a/queue-2.6.27/alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch b/queue-2.6.27/alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch
new file mode 100644
index 00000000000..86ce2c86798
--- /dev/null
+++ b/queue-2.6.27/alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch
@@ -0,0 +1,45 @@
+From e68d3b316ab7b02a074edc4f770e6a746390cb7d Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Sat, 25 Sep 2010 11:07:27 -0400
+Subject: ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream.
+
+The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
+SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
+unprivileged users to read uninitialized kernel stack memory, because
+several fields of the hdsp{m}_config_info structs declared on the stack
+are not altered or zeroed before being copied back to the user.  This
+patch takes care of it.
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/rme9652/hdsp.c  |    1 +
+ sound/pci/rme9652/hdspm.c |    1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -4569,6 +4569,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
+ 			snd_printk(KERN_ERR "Hammerfall-DSP: Firmware needs to be uploaded to the card.\n");	
+ 			return -EINVAL;
+ 		}
++		memset(&info, 0, sizeof(info));
+ 		spin_lock_irqsave(&hdsp->lock, flags);
+ 		info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
+ 		info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -4133,6 +4133,7 @@ static int snd_hdspm_hwdep_ioctl(struct
+ 
+ 	case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
+ 
++		memset(&info, 0, sizeof(info));
+ 		spin_lock_irq(&hdspm->lock);
+ 		info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
+ 		info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index dc48c0ff1f1..2212e0c33c7 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -1,2 +1,4 @@
 aio-check-for-multiplication-overflow-in-do_io_submit.patch
 guard-page-for-stacks-that-grow-upwards.patch
+alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch
+alsa-prevent-heap-corruption-in-snd_ctl_new.patch