ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl
Dan Rosenberg [Thu, 17 Mar 2011 22:32:24 +0000 (18:32 -0400)]
The user-supplied index into the adapters array needs to be checked, or
an out-of-bounds kernel pointer could be accessed and used, leading to
potentially exploitable memory corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

sound/pci/asihpi/hpioctl.c

index 26186be..cd624f1 100644 (file)
@@ -156,6 +156,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                goto out;
        }
 
+       if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
+               err = -EINVAL;
+               goto out;
+       }
+
        pa = &adapters[hm->h.adapter_index];
        hr->h.size = res_max_size;
        if (hm->h.object == HPI_OBJ_SUBSYSTEM) {