CVE-2020-11725 report that 'count = info->owner' may result a SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should use info->count. Signed-off-by: yangerkun <yangerkun@huawei.com> --- sound/core/control.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) v1->v2: reword the patch head diff --git a/sound/core/control.c b/sound/core/control.c index aa0c0cf182af..c77ca7f39637 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, return -ENOMEM; /* Check the number of elements for this userspace control. */ - count = info->owner; + count = info->count; if (count == 0) count = 1; -- 2.21.1
On Tue, 14 Apr 2020 08:51:09 +0200, yangerkun wrote: > > CVE-2020-11725 report that 'count = info->owner' may result a > SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should > use info->count. > > Signed-off-by: yangerkun <yangerkun@huawei.com> The CVE report is simply wrong. info->owner is used intentionally for this specific API to add a user-space control. For the normal kernel kctls, the field is used indeed for storing the pid, but but the user-space kctl addition API usage is an exception. You can see the another use of info->count of field in the very same function at a later point and find it has a different meaning. The CVE should be disputed. thanks, Takashi > --- > sound/core/control.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > v1->v2: reword the patch head > > diff --git a/sound/core/control.c b/sound/core/control.c > index aa0c0cf182af..c77ca7f39637 100644 > --- a/sound/core/control.c > +++ b/sound/core/control.c > @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, > return -ENOMEM; > > /* Check the number of elements for this userspace control. */ > - count = info->owner; > + count = info->count; > if (count == 0) > count = 1; > > -- > 2.21.1 >
On 2020/4/14 14:54, Takashi Iwai wrote: > On Tue, 14 Apr 2020 08:51:09 +0200, > yangerkun wrote: >> >> CVE-2020-11725 report that 'count = info->owner' may result a >> SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should >> use info->count. >> >> Signed-off-by: yangerkun <yangerkun@huawei.com> > > The CVE report is simply wrong. info->owner is used intentionally for > this specific API to add a user-space control. For the normal kernel > kctls, the field is used indeed for storing the pid, but but the > user-space kctl addition API usage is an exception. > > You can see the another use of info->count of field in the very same > function at a later point and find it has a different meaning. > > The CVE should be disputed. Got it! Thanks for your reply. > > > thanks, > > Takashi > >> --- >> sound/core/control.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> v1->v2: reword the patch head >> >> diff --git a/sound/core/control.c b/sound/core/control.c >> index aa0c0cf182af..c77ca7f39637 100644 >> --- a/sound/core/control.c >> +++ b/sound/core/control.c >> @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, >> return -ENOMEM; >> >> /* Check the number of elements for this userspace control. */ >> - count = info->owner; >> + count = info->count; >> if (count == 0) >> count = 1; >> >> -- >> 2.21.1 >> > > . >