* [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add
@ 2020-04-14 6:51 yangerkun
2020-04-14 6:54 ` Takashi Iwai
0 siblings, 1 reply; 3+ messages in thread
From: yangerkun @ 2020-04-14 6:51 UTC (permalink / raw)
To: perex, tiwai; +Cc: alsa-devel, yangerkun
CVE-2020-11725 report that 'count = info->owner' may result a
SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should
use info->count.
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
sound/core/control.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
v1->v2: reword the patch head
diff --git a/sound/core/control.c b/sound/core/control.c
index aa0c0cf182af..c77ca7f39637 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
return -ENOMEM;
/* Check the number of elements for this userspace control. */
- count = info->owner;
+ count = info->count;
if (count == 0)
count = 1;
--
2.21.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add
2020-04-14 6:51 [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add yangerkun
@ 2020-04-14 6:54 ` Takashi Iwai
2020-04-14 9:03 ` yangerkun
0 siblings, 1 reply; 3+ messages in thread
From: Takashi Iwai @ 2020-04-14 6:54 UTC (permalink / raw)
To: yangerkun; +Cc: alsa-devel, tiwai
On Tue, 14 Apr 2020 08:51:09 +0200,
yangerkun wrote:
>
> CVE-2020-11725 report that 'count = info->owner' may result a
> SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should
> use info->count.
>
> Signed-off-by: yangerkun <yangerkun@huawei.com>
The CVE report is simply wrong. info->owner is used intentionally for
this specific API to add a user-space control. For the normal kernel
kctls, the field is used indeed for storing the pid, but but the
user-space kctl addition API usage is an exception.
You can see the another use of info->count of field in the very same
function at a later point and find it has a different meaning.
The CVE should be disputed.
thanks,
Takashi
> ---
> sound/core/control.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> v1->v2: reword the patch head
>
> diff --git a/sound/core/control.c b/sound/core/control.c
> index aa0c0cf182af..c77ca7f39637 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
> return -ENOMEM;
>
> /* Check the number of elements for this userspace control. */
> - count = info->owner;
> + count = info->count;
> if (count == 0)
> count = 1;
>
> --
> 2.21.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add
2020-04-14 6:54 ` Takashi Iwai
@ 2020-04-14 9:03 ` yangerkun
0 siblings, 0 replies; 3+ messages in thread
From: yangerkun @ 2020-04-14 9:03 UTC (permalink / raw)
To: Takashi Iwai; +Cc: alsa-devel, tiwai
On 2020/4/14 14:54, Takashi Iwai wrote:
> On Tue, 14 Apr 2020 08:51:09 +0200,
> yangerkun wrote:
>>
>> CVE-2020-11725 report that 'count = info->owner' may result a
>> SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should
>> use info->count.
>>
>> Signed-off-by: yangerkun <yangerkun@huawei.com>
>
> The CVE report is simply wrong. info->owner is used intentionally for
> this specific API to add a user-space control. For the normal kernel
> kctls, the field is used indeed for storing the pid, but but the
> user-space kctl addition API usage is an exception.
>
> You can see the another use of info->count of field in the very same
> function at a later point and find it has a different meaning.
>
> The CVE should be disputed.
Got it! Thanks for your reply.
>
>
> thanks,
>
> Takashi
>
>> ---
>> sound/core/control.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> v1->v2: reword the patch head
>>
>> diff --git a/sound/core/control.c b/sound/core/control.c
>> index aa0c0cf182af..c77ca7f39637 100644
>> --- a/sound/core/control.c
>> +++ b/sound/core/control.c
>> @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
>> return -ENOMEM;
>>
>> /* Check the number of elements for this userspace control. */
>> - count = info->owner;
>> + count = info->count;
>> if (count == 0)
>> count = 1;
>>
>> --
>> 2.21.1
>>
>
> .
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-14 9:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-14 6:51 [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add yangerkun
2020-04-14 6:54 ` Takashi Iwai
2020-04-14 9:03 ` yangerkun
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).