* [PATCH] ALSA: isa/wavefront: prevent out of bounds write in ioctl
@ 2020-05-01 9:40 Dan Carpenter
2020-05-01 10:27 ` Takashi Iwai
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2020-05-01 9:40 UTC (permalink / raw)
To: Jaroslav Kysela
Cc: Armijn Hemel, alsa-devel, kernel-janitors, Takashi Iwai, Allison Randal
The "header->number" comes from the ioctl and it needs to be clamped to
prevent out of bounds writes.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This code predates git.
sound/isa/wavefront/wavefront_synth.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
index c5b1d5900eed2..d6420d224d097 100644
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -1171,7 +1171,10 @@ wavefront_send_alias (snd_wavefront_t *dev, wavefront_patch_info *header)
"alias for %d\n",
header->number,
header->hdr.a.OriginalSample);
-
+
+ if (header->number >= WF_MAX_SAMPLE)
+ return -EINVAL;
+
munge_int32 (header->number, &alias_hdr[0], 2);
munge_int32 (header->hdr.a.OriginalSample, &alias_hdr[2], 2);
munge_int32 (*((unsigned int *)&header->hdr.a.sampleStartOffset),
@@ -1202,6 +1205,9 @@ wavefront_send_multisample (snd_wavefront_t *dev, wavefront_patch_info *header)
int num_samples;
unsigned char *msample_hdr;
+ if (header->number >= WF_MAX_SAMPLE)
+ return -EINVAL;
+
msample_hdr = kmalloc(WF_MSAMPLE_BYTES, GFP_KERNEL);
if (! msample_hdr)
return -ENOMEM;
--
2.26.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ALSA: isa/wavefront: prevent out of bounds write in ioctl
2020-05-01 9:40 [PATCH] ALSA: isa/wavefront: prevent out of bounds write in ioctl Dan Carpenter
@ 2020-05-01 10:27 ` Takashi Iwai
0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2020-05-01 10:27 UTC (permalink / raw)
To: Dan Carpenter
Cc: alsa-devel, kernel-janitors, Takashi Iwai, Armijn Hemel, Allison Randal
On Fri, 01 May 2020 11:40:11 +0200,
Dan Carpenter wrote:
>
> The "header->number" comes from the ioctl and it needs to be clamped to
> prevent out of bounds writes.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied now. Thanks.
Takashi
> ---
> This code predates git.
>
> sound/isa/wavefront/wavefront_synth.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c
> index c5b1d5900eed2..d6420d224d097 100644
> --- a/sound/isa/wavefront/wavefront_synth.c
> +++ b/sound/isa/wavefront/wavefront_synth.c
> @@ -1171,7 +1171,10 @@ wavefront_send_alias (snd_wavefront_t *dev, wavefront_patch_info *header)
> "alias for %d\n",
> header->number,
> header->hdr.a.OriginalSample);
> -
> +
> + if (header->number >= WF_MAX_SAMPLE)
> + return -EINVAL;
> +
> munge_int32 (header->number, &alias_hdr[0], 2);
> munge_int32 (header->hdr.a.OriginalSample, &alias_hdr[2], 2);
> munge_int32 (*((unsigned int *)&header->hdr.a.sampleStartOffset),
> @@ -1202,6 +1205,9 @@ wavefront_send_multisample (snd_wavefront_t *dev, wavefront_patch_info *header)
> int num_samples;
> unsigned char *msample_hdr;
>
> + if (header->number >= WF_MAX_SAMPLE)
> + return -EINVAL;
> +
> msample_hdr = kmalloc(WF_MSAMPLE_BYTES, GFP_KERNEL);
> if (! msample_hdr)
> return -ENOMEM;
> --
> 2.26.2
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-01 10:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-01 9:40 [PATCH] ALSA: isa/wavefront: prevent out of bounds write in ioctl Dan Carpenter
2020-05-01 10:27 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).