Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 3f9219b3681d9226d0b2b1dd843919d2511ea1f6
commit3f9219b3681d9226d0b2b1dd843919d2511ea1f6[log] [tgz]
authorSiqi Lin <siqilin@google.com>Wed Nov 02 16:51:08 2016 -0700
committerTeemu Hukkanen <teemu@fairphone.com>Sun Jan 29 22:20:21 2017 +0100
tree1fa0b01d3222c5981d00e8a7cb769403077b6c2e
parent4f8b2d599319bb3a45f4ef513492a5ea4d6a5d81 [diff]
FPII-2725:ALSA: info: Check for integer overflow in snd_info_entry_write() CVE-2017-0404 A-32510733

ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

Bug: 32510733
Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23
Signed-off-by: Siqi Lin <siqilin@google.com>
1 file changed
tree: 1fa0b01d3222c5981d00e8a7cb769403077b6c2e
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS