andidate: CVE-2010-3442
Description:
 > On 09/29/2010 03:01 PM, Marcus Meissner wrote:
 > > On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote:
 > >> Reported by Dan Rosenberg. The snd_ctl_new() function in
 > >> sound/core/control.c allocates space for a snd_kcontrol struct by
 > >> performing arithmetic operations on a user-provided size without
 > >> checking for integer overflow.  If a user provides a large enough size
 > >> an overflow will occur, the allocated chunk will be too small, and a
 > >> second user-influenced value will be written repeatedly past the bounds
 > >> of this chunk. This code is reachable by unprivileged users who have
 > >> permission to open a /dev/snd/controlC* device (on many distros, this is
 >  >> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and
 > >> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
References:
Notes:
Bugs:
upstream: released (2.6.36) [5591bf07225523600450edd9e6ad258bb877b779]
2.6.32-upstream-stable: released (2.6.32.25)
linux-2.6: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]