diff options
author | Dan Rosenberg <drosenberg@vsecurity.com> | 2011-03-23 10:53:41 -0400 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2011-03-23 22:47:46 +0100 |
commit | b769f49463711205d57286e64cf535ed4daf59e9 (patch) | |
tree | 1c674fdbed533434d2ba9b7b1b3646243160e55c /virt/kvm/assigned-dev.c | |
parent | ce24f58a1187ca3058d72c3f897e3b574209ab20 (diff) | |
download | linux-b769f49463711205d57286e64cf535ed4daf59e9.tar.bz2 |
sound/oss: remove offset from load_patch callbacks
Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
uninitialized value, and signedness issue
The offset passed to midi_synth_load_patch() can be essentially
arbitrary. If it's greater than the header length, this will result in
a copy_from_user(dst, src, negative_val). While this will just return
-EFAULT on x86, on other architectures this may cause memory corruption.
Additionally, the length field of the sysex_info structure may not be
initialized prior to its use. Finally, a signed comparison may result
in an unintentionally large loop.
On suggestion by Takashi Iwai, version two removes the offset argument
from the load_patch callbacks entirely, which also resolves similar
issues in opl3. Compile tested only.
v3 adjusts comments and hopefully gets copy offsets right.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'virt/kvm/assigned-dev.c')
0 files changed, 0 insertions, 0 deletions