* 'fix/misc' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: i2c/other/ak4xx-adda: Fix a compile warning with CONFIG_PROCFS=n
ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow. If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk. This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
unprivileged users to read uninitialized kernel stack memory, because
several fields of the hdsp{m}_config_info structs declared on the stack
are not altered or zeroed before being copied back to the user. This
patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The SPDIF in audio widget must be searched through the list as the widget
that contains the given pin as the connection source. The current code
was implemented in a reverse way.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
On the HT-Omega Claro halo card, the ADC data must be captured from the
second I2S input. Using the default first input, which isn't connected
to anything, would result in silence.
Signed-off-by: Erik J. Staab <ejs@insightbb.com>
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The clkdev API doesn't use .name and .id members of struct clk for clock
lookup. Instead clocks should be added to a lookup list. Without this patch
audio om the Migo-R board fails silently.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
The PCM proc files may open a race against substream close, which can
end up with an Oops. Use the open_mutex to protect for it.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The pm_qos_request isn't freed properly when OSS PCM emulation is used
because it skips snd_pcm_hw_free() call but directly releases the
stream. This resulted in Oops later.
Tested-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Add a quirk for laptop Toshiba Satellite C650D to have proper external HP and
external Mic support.
Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
If we pass in a device which is higher than SNDRV_RAWMIDI_DEVICES then
the "next device" should be -1. This function just returns device + 1.
But the main thing is that "device + 1" can lead to a (harmless) integer
overflow and that annoys static analysis tools.
[fix the case for device == SNDRV_RAWMIDI_DEVICE by tiwai]
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_hda_parse_pin_def_config() has some workaround for re-assigning
some pins declared as headphones to line-outs. This didn't work properly
for some cases because it used memmove() stupidly wrongly.
Reference: Novell bnc#637263
https://bugzilla.novell.com/show_bug.cgi?id=637263
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The error handling in snd_seq_oss_open() has several bad codes that
do dereferecing released pointers and double-free of kmalloc'ed data.
The object dp is release in free_devinfo() that is called via
private_free callback. The rest shouldn't touch this object any more.
The patch changes delete_port() to call kfree() in any case, and gets
rid of unnecessary calls of destructors in snd_seq_oss_open().
Fixes CVE-2010-3080.
Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The driver doesn't probe the device properly because of left-over cfg[]
that isn't used at all for msnd-classic device. This is only for msnd-
pinnacle.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
