From 23365ad3eacbfd823634bc9241b0ac31e9b72364 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Thu, 17 Mar 2011 18:32:24 -0400
Subject: [CVE-2011-1169][Maverick][PATCH] ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl, CVE-2011-1169

CVE-2011-1169

BugLink: http://bugs.launchpad.net/bugs/785331

Released until now with stable versions 2.6.37.5, 2.6.38.1

The user-supplied index into the adapters array needs to be checked, or
an out-of-bounds kernel pointer could be accessed and used, leading to
potentially exploitable memory corruption.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(backported from commit 4a122c10fbfe9020df469f0f669da129c5757671 upstream)
Signed-off-by: Herton Krzesinski <herton.krzesinski@canonical.com>
---
 sound/pci/asihpi/hpioctl.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 7396ac5..7b600f7 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -146,6 +146,11 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		goto out;
 	}
 
+	if (hm->h.adapter_index >= HPI_MAX_ADAPTERS) {
+		err = -EINVAL;
+		goto out;
+	}
+
 	pa = &adapters[hm->h.adapter_index];
 	hr->h.size = 0;
 	if (hm->h.object == HPI_OBJ_SUBSYSTEM) {
-- 
1.7.0.4