2.6.37-stable review patch. If anyone has any objections, please let us know.
------------------ From: Dan Rosenberg <[email protected]> commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream. The user-supplied index into the adapters array needs to be checked, or an out-of-bounds kernel pointer could be accessed and used, leading to potentially exploitable memory corruption. Signed-off-by: Dan Rosenberg <[email protected]> Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- sound/pci/asihpi/hpioctl.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c @@ -155,6 +155,11 @@ long asihpi_hpi_ioctl(struct file *file, goto out; } + if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) { + err = -EINVAL; + goto out; + } + pa = &adapters[hm->h.adapter_index]; hr->h.size = 0; if (hm->h.object == HPI_OBJ_SUBSYSTEM) { _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
