ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl

commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream.

The user-supplied index into the adapters array needs to be checked, or
an out-of-bounds kernel pointer could be accessed and used, leading to
potentially exploitable memory corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 22dbd91811a4e61398a9b9077c5cbe26c0139119..448dd01943f50979b8d2b929800d076552aeab53 100644 (file)
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -155,6 +155,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                goto out;
        }
 
+       if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
+               err = -EINVAL;
+               goto out;
+       }
+
        pa = &adapters[hm->h.adapter_index];
        hr->h.size = 0;
        if (hm->h.object == HPI_OBJ_SUBSYSTEM) {