github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-10 15:42:19 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
17a2400a98
linux/sound/oss
History
Dan Rosenberg 203d86c28c sound: Prevent buffer overflow in OSS load_mixer_volumes 
commit d81a12bc29 upstream.

The load_mixer_volumes() function, which can be triggered by
unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
a buffer overflow.  Because the provided "name" argument isn't
guaranteed to be NULL terminated at the expected 32 bytes, it's possible
to overflow past the end of the last element in the mixer_vols array.
Further exploitation can result in an arbitrary kernel write (via
subsequent calls to load_mixer_volumes()) leading to privilege
escalation, or arbitrary kernel reads via get_mixer_levels().  In
addition, the strcmp() may leak bytes beyond the mixer_vols array.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-01-07 13:58:45 -08:00
..
dmasound sound/oss: convert to unlocked_ioctl 2010-07-12 22:36:47 +02:00
.gitignore
ac97_codec.c ALSA: ASoC: update email address for Liam Girdwood 2008-10-13 02:26:42 +02:00
ad1848_mixer.h fix file specification in comments 2006-10-03 23:01:26 +02:00
ad1848.c sound/oss: Adjust confusing if indentation 2010-08-06 09:59:24 +02:00
ad1848.h [PATCH] The scheduled removal of some OSS drivers 2006-10-04 07:55:32 -07:00
aedsp16.c sound: aedsp16: Buffer overflow 2009-07-29 14:37:12 +02:00
au1550_ac97.c sound: oss: au1550_ac97.c removed duplicated #include 2010-08-06 09:58:59 +02:00
audio.c sound: OSS: fix error return in dma_ioctl() 2009-11-12 21:09:45 +01:00
bin2hex.c
CHANGELOG
coproc.h sound/oss/coproc.h: Checkpatch cleanup 2010-03-02 11:22:19 +01:00
dev_table.c sound: oss: off by one bug 2010-01-08 09:17:51 +01:00
dev_table.h [PATCH] kill sound/oss/*_syms.c 2006-10-04 07:55:32 -07:00
dmabuf.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hex2hex.c oss: Mark loadhex static in hex2hex.c 2009-11-15 15:01:42 -08:00
kahlua.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
Kconfig Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
Makefile sound: remove OSS Ensoniq SoundScape driver 2009-10-30 12:45:08 +01:00
midi_ctrl.h
midi_synth.c sound: oss: midi_synth: check get_user() return value 2010-07-29 12:25:06 +02:00
midi_synth.h
midibuf.c sound: fix OSS MIDI output data loss 2009-08-10 13:15:43 +02:00
mpu401.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mpu401.h IRQ: Maintain regs pointer globally rather than passing to IRQ handlers 2006-10-05 15:10:12 +01:00
msnd_classic.c
msnd_classic.h sound: sound/oss/: remove CVS keywords 2008-05-27 15:56:20 +02:00
msnd_pinnacle.c sound: oss: msnd: check request_region() return value 2010-07-29 13:48:57 +02:00
msnd_pinnacle.h sound: sound/oss/: remove CVS keywords 2008-05-27 15:56:20 +02:00
msnd.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
msnd.h [PATCH] introduce fmode_t, do annotations 2008-10-21 07:47:06 -04:00
opl3_hw.h
opl3.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
os.h [PATCH] mark struct file_operations const 9 2007-02-12 09:48:46 -08:00
pas2_card.c sound: OSS: missing parentheses in pas2_card.c 2009-02-18 11:37:51 +01:00
pas2_midi.c fix file specification in comments 2006-10-03 23:01:26 +02:00
pas2_mixer.c fix file specification in comments 2006-10-03 23:01:26 +02:00
pas2_pcm.c time: move PIT_TICK_RATE to linux/timex.h 2009-06-16 19:47:27 -07:00
pas2.h
pss.c sound/oss/pss: Fix test of unsigned in pss_reset_dsp() and pss_download_boot() 2009-12-17 12:19:12 +01:00
README.FIRST
sb_audio.c fix file specification in comments 2006-10-03 23:01:26 +02:00
sb_card.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sb_card.h
sb_common.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sb_ess.c sound: Use KERN_WARNING instead of KERN_WARN, which does not exist 2009-11-05 09:09:55 +01:00
sb_ess.h
sb_midi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sb_mixer.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sb_mixer.h fix file specification in comments 2006-10-03 23:01:26 +02:00
sb.h
sequencer.c sound: sequencer: clean up remove bogus check 2010-03-16 07:52:13 +01:00
sh_dac_audio.c sound: oss: sh_dac_audio.c removed duplicated #include 2010-08-12 09:14:02 +02:00
sound_calls.h [PATCH] kill sound/oss/*_syms.c 2006-10-04 07:55:32 -07:00
sound_config.h sound: oss: off by one bug 2010-01-08 09:17:51 +01:00
sound_firmware.h
sound_timer.c sound: oss: fix uninitialized spinlock 2010-08-28 11:57:54 +02:00
soundcard.c sound: Prevent buffer overflow in OSS load_mixer_volumes 2011-01-07 13:58:45 -08:00
soundvers.h
swarm_cs4297a.c sound/oss: convert to unlocked_ioctl 2010-07-12 22:36:47 +02:00
sys_timer.c trivial: remove unnecessary semicolons 2009-09-21 15:14:58 +02:00
trix.c fix file specification in comments 2006-10-03 23:01:26 +02:00
tuning.h [PATCH] The scheduled removal of some OSS drivers 2006-10-04 07:55:32 -07:00
uart401.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
uart6850.c IRQ: Maintain regs pointer globally rather than passing to IRQ handlers 2006-10-05 15:10:12 +01:00
ulaw.h
v_midi.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
v_midi.h sound/oss/v_midi.h: Checkpatch cleanup 2010-03-02 11:22:08 +01:00
vidc_fill.S [ARM] Move include/asm-arm/arch-* to arch/arm/*/include/mach 2008-08-07 09:55:48 +01:00
vidc.c sound/oss: Remove dead CONFIG_SOFTOSS* 2010-07-21 15:02:46 +02:00
vidc.h IRQ: Maintain regs pointer globally rather than passing to IRQ handlers 2006-10-05 15:10:12 +01:00
vwsnd.c sound/oss: convert to unlocked_ioctl 2010-07-12 22:36:47 +02:00
waveartist.c sound: oss: waveartist: simplify waveartist_sleep() 2010-07-26 10:33:41 +02:00
waveartist.h fix file specification in comments 2006-10-03 23:01:26 +02:00

README.FIRST 

The modular sound driver patches were funded by Red Hat Software 
(www.redhat.com). The sound driver here is thus a modified version of 
Hannu's code. Please bear that in mind when considering the appropriate
forums for bug reporting. 

Alan Cox