1 From d81a12bc29ae4038770e05dce4ab7f26fd5880fb Mon Sep 17 00:00:00 2001
2 From: Dan Rosenberg <drosenberg@vsecurity.com>
3 Date: Sat, 25 Dec 2010 16:23:40 -0500
4 Subject: [PATCH 31/66] sound: Prevent buffer overflow in OSS load_mixer_volumes
6 The load_mixer_volumes() function, which can be triggered by
7 unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
8 a buffer overflow. Because the provided "name" argument isn't
9 guaranteed to be NULL terminated at the expected 32 bytes, it's possible
10 to overflow past the end of the last element in the mixer_vols array.
11 Further exploitation can result in an arbitrary kernel write (via
12 subsequent calls to load_mixer_volumes()) leading to privilege
13 escalation, or arbitrary kernel reads via get_mixer_levels(). In
14 addition, the strcmp() may leak bytes beyond the mixer_vols array.
16 Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
17 Cc: stable <stable@kernel.org>
18 Signed-off-by: Takashi Iwai <tiwai@suse.de>
20 sound/oss/soundcard.c | 4 ++--
21 1 files changed, 2 insertions(+), 2 deletions(-)
23 diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c
24 index 46c0d03..fcb14a0 100644
25 --- a/sound/oss/soundcard.c
26 +++ b/sound/oss/soundcard.c
27 @@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
30 for (i = 0; i < num_mixer_volumes; i++) {
31 - if (strcmp(name, mixer_vols[i].name) == 0) {
32 + if (strncmp(name, mixer_vols[i].name, 32) == 0) {
34 mixer_vols[i].num = i;
35 return mixer_vols[i].levels;
36 @@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int *levels, int present)
38 n = num_mixer_volumes++;
40 - strcpy(mixer_vols[n].name, name);
41 + strncpy(mixer_vols[n].name, name, 32);
44 mixer_vols[n].num = n;
git.openpandora.org / openembedded.git / blob