Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755643Ab1CQWcc (ORCPT ); Thu, 17 Mar 2011 18:32:32 -0400 Received: from mx1.vsecurity.com ([209.67.252.12]:52289 "EHLO mx1.vsecurity.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754834Ab1CQWca (ORCPT ); Thu, 17 Mar 2011 18:32:30 -0400 Subject: [PATCH] sound/pci/asihpi: check adapter index in hpi_ioctl From: Dan Rosenberg To: Jaroslav Kysela , Takashi Iwai Cc: security@kernel.org, stable@kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Date: Thu, 17 Mar 2011 18:32:24 -0400 Message-ID: <1300401144.1796.4.camel@dan> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1055 Lines: 32 The user-supplied index into the adapters array needs to be checked, or an out-of-bounds kernel pointer could be accessed and used, leading to potentially exploitable memory corruption. Signed-off-by: Dan Rosenberg --- sound/pci/asihpi/hpioctl.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c index 22dbd91..448dd01 100644 --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c @@ -155,6 +155,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) goto out; } + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) { + err = -EINVAL; + goto out; + } + pa = &adapters[hm->h.adapter_index]; hr->h.size = 0; if (hm->h.object == HPI_OBJ_SUBSYSTEM) { -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/