renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-21 11:44:01 +08:00
Code
4fa0e81b83
linux-next/sound
History
Xi Wang 4fa0e81b83 ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range() 
A malicious USB device may feed in carefully crafted min/max/res values,
so that the inner loop in parse_uac2_sample_rate_range() could run for
a long time or even never terminate, e.g., given max = INT_MAX.

Also nr_rates could be a large integer, which causes an integer overflow
in the subsequent call to kmalloc() in parse_audio_format_rates_v2().
Thus, kmalloc() would allocate a smaller buffer than expected, leading
to a memory corruption.

To exploit the two vulnerabilities, an attacker needs physical access
to the machine to plug in a malicious USB device.

This patch makes two changes.

1) The type of "rate" is changed to unsigned int, so that the loop could
   stop once "rate" is larger than INT_MAX.

2) Limit nr_rates to 1024.

Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-01-08 16:03:12 +01:00
..
aoa sound: Add module.h to the previously silent sound users 2011-10-31 19:31:21 -04:00
arm ALSA: convert sound/* to use module_platform_driver() 2011-11-27 18:43:48 +01:00
atmel Merge branch 'master' into for-next 2011-07-11 14:15:55 +02:00
core ALSA: core: add makefile and kconfig file for compress 2011-12-23 10:08:38 +01:00
drivers ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
firewire Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2011-11-06 19:44:47 -08:00
i2c sound: Add module.h to the previously silent sound users 2011-10-31 19:31:21 -04:00
isa ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
mips ALSA: Convert mips directory to module_platform_driver 2011-11-24 13:03:02 +01:00
oss ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
parisc
pci ALSA: Au88x0 - Fix channels swapping of 4 channels playback 2012-01-08 14:39:26 +01:00
pcmcia ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
ppc ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
sh ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
soc ASoC: Supply dcs_codes for newer WM1811 revisions 2011-11-28 23:18:38 +00:00
sparc ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
spi ALSA: atmel - update author email for ABDAC, AC97C and AT73C213 2011-06-28 16:56:07 +02:00
synth sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
usb ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range() 2012-01-08 16:03:12 +01:00
ac97_bus.c sound: Fixed line limit issue in sound/ac97_bus.c 2010-12-06 16:09:49 +01:00
Kconfig um: switch to use of drivers/Kconfig 2011-11-02 14:15:41 +01:00
last.c
Makefile ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver 2011-03-15 08:42:22 +01:00
sound_core.c sound: Use sound_register_*() for additional OSS minor devices 2011-03-09 20:10:37 +01:00
sound_firmware.c sound: read i_size with i_size_read() 2011-03-18 15:14:57 +01:00