From: yangerkun <yangerkun@huawei.com>
To: Takashi Iwai <tiwai@suse.de>
Cc: alsa-devel@alsa-project.org, tiwai@suse.com
Subject: Re: [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add
Date: Tue, 14 Apr 2020 17:03:21 +0800 [thread overview]
Message-ID: <59873ec6-b18c-a241-40c0-da75d089b128@huawei.com> (raw)
In-Reply-To: <s5h4ktmlfpx.wl-tiwai@suse.de>
On 2020/4/14 14:54, Takashi Iwai wrote:
> On Tue, 14 Apr 2020 08:51:09 +0200,
> yangerkun wrote:
>>
>> CVE-2020-11725 report that 'count = info->owner' may result a
>> SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should
>> use info->count.
>>
>> Signed-off-by: yangerkun <yangerkun@huawei.com>
>
> The CVE report is simply wrong. info->owner is used intentionally for
> this specific API to add a user-space control. For the normal kernel
> kctls, the field is used indeed for storing the pid, but but the
> user-space kctl addition API usage is an exception.
>
> You can see the another use of info->count of field in the very same
> function at a later point and find it has a different meaning.
>
> The CVE should be disputed.
Got it! Thanks for your reply.
>
>
> thanks,
>
> Takashi
>
>> ---
>> sound/core/control.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> v1->v2: reword the patch head
>>
>> diff --git a/sound/core/control.c b/sound/core/control.c
>> index aa0c0cf182af..c77ca7f39637 100644
>> --- a/sound/core/control.c
>> +++ b/sound/core/control.c
>> @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
>> return -ENOMEM;
>>
>> /* Check the number of elements for this userspace control. */
>> - count = info->owner;
>> + count = info->count;
>> if (count == 0)
>> count = 1;
>>
>> --
>> 2.21.1
>>
>
> .
>
prev parent reply other threads:[~2020-04-14 9:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-14 6:51 [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add yangerkun
2020-04-14 6:54 ` Takashi Iwai
2020-04-14 9:03 ` yangerkun [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59873ec6-b18c-a241-40c0-da75d089b128@huawei.com \
--to=yangerkun@huawei.com \
--cc=alsa-devel@alsa-project.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).