alsa-devel.alsa-project.org archive mirror
 help / color / mirror / Atom feed
* [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add
@ 2020-04-14  6:51 yangerkun
  2020-04-14  6:54 ` Takashi Iwai
  0 siblings, 1 reply; 3+ messages in thread
From: yangerkun @ 2020-04-14  6:51 UTC (permalink / raw)
  To: perex, tiwai; +Cc: alsa-devel, yangerkun

CVE-2020-11725 report that 'count = info->owner' may result a
SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should
use info->count.

Signed-off-by: yangerkun <yangerkun@huawei.com>
---
 sound/core/control.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

v1->v2: reword the patch head

diff --git a/sound/core/control.c b/sound/core/control.c
index aa0c0cf182af..c77ca7f39637 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
 		return -ENOMEM;
 
 	/* Check the number of elements for this userspace control. */
-	count = info->owner;
+	count = info->count;
 	if (count == 0)
 		count = 1;
 
-- 
2.21.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add
  2020-04-14  6:51 [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add yangerkun
@ 2020-04-14  6:54 ` Takashi Iwai
  2020-04-14  9:03   ` yangerkun
  0 siblings, 1 reply; 3+ messages in thread
From: Takashi Iwai @ 2020-04-14  6:54 UTC (permalink / raw)
  To: yangerkun; +Cc: alsa-devel, tiwai

On Tue, 14 Apr 2020 08:51:09 +0200,
yangerkun wrote:
> 
> CVE-2020-11725 report that 'count = info->owner' may result a
> SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should
> use info->count.
> 
> Signed-off-by: yangerkun <yangerkun@huawei.com>

The CVE report is simply wrong.  info->owner is used intentionally for
this specific API to add a user-space control.  For the normal kernel
kctls, the field is used indeed for storing the pid, but but the
user-space kctl addition API usage is an exception.

You can see the another use of info->count of field in the very same
function at a later point and find it has a different meaning.

The CVE should be disputed.


thanks,

Takashi

> ---
>  sound/core/control.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> v1->v2: reword the patch head
> 
> diff --git a/sound/core/control.c b/sound/core/control.c
> index aa0c0cf182af..c77ca7f39637 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
>  		return -ENOMEM;
>  
>  	/* Check the number of elements for this userspace control. */
> -	count = info->owner;
> +	count = info->count;
>  	if (count == 0)
>  		count = 1;
>  
> -- 
> 2.21.1
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add
  2020-04-14  6:54 ` Takashi Iwai
@ 2020-04-14  9:03   ` yangerkun
  0 siblings, 0 replies; 3+ messages in thread
From: yangerkun @ 2020-04-14  9:03 UTC (permalink / raw)
  To: Takashi Iwai; +Cc: alsa-devel, tiwai



On 2020/4/14 14:54, Takashi Iwai wrote:
> On Tue, 14 Apr 2020 08:51:09 +0200,
> yangerkun wrote:
>>
>> CVE-2020-11725 report that 'count = info->owner' may result a
>> SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should
>> use info->count.
>>
>> Signed-off-by: yangerkun <yangerkun@huawei.com>
> 
> The CVE report is simply wrong.  info->owner is used intentionally for
> this specific API to add a user-space control.  For the normal kernel
> kctls, the field is used indeed for storing the pid, but but the
> user-space kctl addition API usage is an exception.
> 
> You can see the another use of info->count of field in the very same
> function at a later point and find it has a different meaning.
> 
> The CVE should be disputed.

Got it! Thanks for your reply.

> 
> 
> thanks,
> 
> Takashi
> 
>> ---
>>   sound/core/control.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> v1->v2: reword the patch head
>>
>> diff --git a/sound/core/control.c b/sound/core/control.c
>> index aa0c0cf182af..c77ca7f39637 100644
>> --- a/sound/core/control.c
>> +++ b/sound/core/control.c
>> @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
>>   		return -ENOMEM;
>>   
>>   	/* Check the number of elements for this userspace control. */
>> -	count = info->owner;
>> +	count = info->count;
>>   	if (count == 0)
>>   		count = 1;
>>   
>> -- 
>> 2.21.1
>>
> 
> .
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-14  9:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-14  6:51 [RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add yangerkun
2020-04-14  6:54 ` Takashi Iwai
2020-04-14  9:03   ` yangerkun

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).