diff options
author | Dan Rosenberg <drosenberg@vsecurity.com> | 2011-03-23 10:53:41 -0400 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2011-04-30 16:53:32 +0200 |
commit | 0c1681274394c0af6660393af7d4f01c8db5c3b2 (patch) | |
tree | c8f711a5f8f3d41b5c66cf8d6e801c8a81dd23a0 /sound/oss/midi_synth.h | |
parent | 5ec5648c0aa9f796189582e8feb8b78486032aae (diff) |
sound/oss: remove offset from load_patch callbacks
commit b769f49463711205d57286e64cf535ed4daf59e9 upstream.
Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
uninitialized value, and signedness issue
The offset passed to midi_synth_load_patch() can be essentially
arbitrary. If it's greater than the header length, this will result in
a copy_from_user(dst, src, negative_val). While this will just return
-EFAULT on x86, on other architectures this may cause memory corruption.
Additionally, the length field of the sysex_info structure may not be
initialized prior to its use. Finally, a signed comparison may result
in an unintentionally large loop.
On suggestion by Takashi Iwai, version two removes the offset argument
from the load_patch callbacks entirely, which also resolves similar
issues in opl3. Compile tested only.
v3 adjusts comments and hopefully gets copy offsets right.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'sound/oss/midi_synth.h')
-rw-r--r-- | sound/oss/midi_synth.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/oss/midi_synth.h b/sound/oss/midi_synth.h index 6bc9d00bc77c..b64ddd6c4abc 100644 --- a/sound/oss/midi_synth.h +++ b/sound/oss/midi_synth.h @@ -8,7 +8,7 @@ int midi_synth_open (int dev, int mode); void midi_synth_close (int dev); void midi_synth_hw_control (int dev, unsigned char *event); int midi_synth_load_patch (int dev, int format, const char __user * addr, - int offs, int count, int pmgr_flag); + int count, int pmgr_flag); void midi_synth_panning (int dev, int channel, int pressure); void midi_synth_aftertouch (int dev, int channel, int pressure); void midi_synth_controller (int dev, int channel, int ctrl_num, int value); |