* [PATCH] ALSA: control: Make sure that id->index does not overflow in function snd_ctl_replace
@ 2018-08-31 11:00 Xiao Yang
2018-09-01 7:39 ` Takashi Iwai
0 siblings, 1 reply; 3+ messages in thread
From: Xiao Yang @ 2018-08-31 11:00 UTC (permalink / raw)
To: tiwai; +Cc: alsa-devel, 92siuyang, linux-kernel, rf, viro, Xiao Yang
From: Young_X <YangX92@hotmail.com>
The ALSA control code expects that the range of assigned indices to a
control is continuous and does not overflow. Currently there are no
checks to enforce this.
If a control with a overflowing index range is created that control
becomes effectively inaccessible and unremovable since
snd_ctl_find_id() will not be able to find it. This patch adds a check
that makes sure that controls with a overflowing index range can not
be created.
(same issue as CVE-2014-4656)
Signed-off-by: Young_X <YangX92@hotmail.com>
---
sound/core/control.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/core/control.c b/sound/core/control.c
index 9aa15bf..6435772 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -441,6 +441,11 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
goto error;
}
id = kcontrol->id;
+ if (id.index > UINT_MAX - kcontrol->count) {
+ ret = -EINVAL;
+ goto error;
+ }
+
down_write(&card->controls_rwsem);
old = snd_ctl_find_id(card, &id);
if (!old) {
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] ALSA: control: Make sure that id->index does not overflow in function snd_ctl_replace
2018-08-31 11:00 [PATCH] ALSA: control: Make sure that id->index does not overflow in function snd_ctl_replace Xiao Yang
@ 2018-09-01 7:39 ` Takashi Iwai
0 siblings, 0 replies; 3+ messages in thread
From: Takashi Iwai @ 2018-09-01 7:39 UTC (permalink / raw)
To: Xiao Yang; +Cc: alsa-devel, 92siuyang, rf, o-takashi, linux-kernel, viro
On Fri, 31 Aug 2018 13:00:02 +0200,
Xiao Yang wrote:
>
> From: Young_X <YangX92@hotmail.com>
>
> The ALSA control code expects that the range of assigned indices to a
> control is continuous and does not overflow. Currently there are no
> checks to enforce this.
> If a control with a overflowing index range is created that control
> becomes effectively inaccessible and unremovable since
> snd_ctl_find_id() will not be able to find it. This patch adds a check
> that makes sure that controls with a overflowing index range can not
> be created.
> (same issue as CVE-2014-4656)
>
> Signed-off-by: Young_X <YangX92@hotmail.com>
Thanks for the patch.
Actually this function has been never used (at least for years), hence
the best "fix" would be just to get rid of the whole function, IMO.
Takashi
> ---
> sound/core/control.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/sound/core/control.c b/sound/core/control.c
> index 9aa15bf..6435772 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -441,6 +441,11 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
> goto error;
> }
> id = kcontrol->id;
> + if (id.index > UINT_MAX - kcontrol->count) {
> + ret = -EINVAL;
> + goto error;
> + }
> +
> down_write(&card->controls_rwsem);
> old = snd_ctl_find_id(card, &id);
> if (!old) {
> --
> 2.7.4
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ALSA: control: Make sure that id->index does not overflow in function snd_ctl_replace
@ 2018-09-01 7:39 ` Takashi Iwai
0 siblings, 0 replies; 3+ messages in thread
From: Takashi Iwai @ 2018-09-01 7:39 UTC (permalink / raw)
To: Xiao Yang; +Cc: alsa-devel, 92siuyang, linux-kernel, rf, viro
On Fri, 31 Aug 2018 13:00:02 +0200,
Xiao Yang wrote:
>
> From: Young_X <YangX92@hotmail.com>
>
> The ALSA control code expects that the range of assigned indices to a
> control is continuous and does not overflow. Currently there are no
> checks to enforce this.
> If a control with a overflowing index range is created that control
> becomes effectively inaccessible and unremovable since
> snd_ctl_find_id() will not be able to find it. This patch adds a check
> that makes sure that controls with a overflowing index range can not
> be created.
> (same issue as CVE-2014-4656)
>
> Signed-off-by: Young_X <YangX92@hotmail.com>
Thanks for the patch.
Actually this function has been never used (at least for years), hence
the best "fix" would be just to get rid of the whole function, IMO.
Takashi
> ---
> sound/core/control.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/sound/core/control.c b/sound/core/control.c
> index 9aa15bf..6435772 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -441,6 +441,11 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
> goto error;
> }
> id = kcontrol->id;
> + if (id.index > UINT_MAX - kcontrol->count) {
> + ret = -EINVAL;
> + goto error;
> + }
> +
> down_write(&card->controls_rwsem);
> old = snd_ctl_find_id(card, &id);
> if (!old) {
> --
> 2.7.4
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-09-01 7:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-31 11:00 [PATCH] ALSA: control: Make sure that id->index does not overflow in function snd_ctl_replace Xiao Yang
2018-09-01 7:39 ` Takashi Iwai
2018-09-01 7:39 ` Takashi Iwai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.