From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28D76C2D0E8 for ; Thu, 26 Mar 2020 23:25:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F01642077D for ; Thu, 26 Mar 2020 23:25:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585265153; bh=DMDAmsX01Z1tF2K9W75nHKqQQTSG6LCtx+m5EJLBaZ4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=IIbYArqYz32CHHLZJihuLpFHorizsEknMk45AivY3oft/gXp9r7AM9RhCzI/WSB0l Lg/T3Gvj3UiVwkIN+PYBBv75pzhxWxutadD09oGaOVTcjFXvPDofd7B8QzO78z0u9X LpXzHeSIcsrjFUBYyb3xlEW2bxfWSFOG1kdCjzhA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728407AbgCZXZk (ORCPT ); Thu, 26 Mar 2020 19:25:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:46762 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728385AbgCZXZk (ORCPT ); Thu, 26 Mar 2020 19:25:40 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C1F7C208E0; Thu, 26 Mar 2020 23:25:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585265139; bh=DMDAmsX01Z1tF2K9W75nHKqQQTSG6LCtx+m5EJLBaZ4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U3Xunht/1WWDqV2kfFshyivuN98Rd6dmjVzJx2OsECPkt+TxD8BBHSnpgvsZm/ReQ 8RtolHd5KgoBL+wxGMBmIIciCsGX8UgPzgVezjkOdsbVE5ql5dAj2NBjQVWa8K6xmE Tm1wYu9/e4+op2y/8acOCYB5JpRoNNznX6qE/Llg= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Takashi Iwai , syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com, Sasha Levin , alsa-devel@alsa-project.org Subject: [PATCH AUTOSEL 4.4 3/4] ALSA: pcm: oss: Avoid plugin buffer overflow Date: Thu, 26 Mar 2020 19:25:34 -0400 Message-Id: <20200326232535.8460-3-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200326232535.8460-1-sashal@kernel.org> References: <20200326232535.8460-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai [ Upstream commit f2ecf903ef06eb1bbbfa969db9889643d487e73a ] Each OSS PCM plugins allocate its internal buffer per pre-calculation of the max buffer size through the chain of plugins (calling src_frames and dst_frames callbacks). This works for most plugins, but the rate plugin might behave incorrectly. The calculation in the rate plugin involves with the fractional position, i.e. it may vary depending on the input position. Since the buffer size pre-calculation is always done with the offset zero, it may return a shorter size than it might be; this may result in the out-of-bound access as spotted by fuzzer. This patch addresses those possible buffer overflow accesses by simply setting the upper limit per the given buffer size for each plugin before src_frames() and after dst_frames() calls. Reported-by: syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/000000000000b25ea005a02bcf21@google.com Link: https://lore.kernel.org/r/20200309082148.19855-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- sound/core/oss/pcm_plugin.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sound/core/oss/pcm_plugin.c b/sound/core/oss/pcm_plugin.c index c6888d76ca5e9..b08b2d2d804bd 100644 --- a/sound/core/oss/pcm_plugin.c +++ b/sound/core/oss/pcm_plugin.c @@ -209,6 +209,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *plug, snd_p if (stream == SNDRV_PCM_STREAM_PLAYBACK) { plugin = snd_pcm_plug_last(plug); while (plugin && drv_frames > 0) { + if (drv_frames > plugin->buf_frames) + drv_frames = plugin->buf_frames; plugin_prev = plugin->prev; if (plugin->src_frames) drv_frames = plugin->src_frames(plugin, drv_frames); @@ -220,6 +222,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *plug, snd_p plugin_next = plugin->next; if (plugin->dst_frames) drv_frames = plugin->dst_frames(plugin, drv_frames); + if (drv_frames > plugin->buf_frames) + drv_frames = plugin->buf_frames; plugin = plugin_next; } } else @@ -248,11 +252,15 @@ snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *plug, snd_pc if (frames < 0) return frames; } + if (frames > plugin->buf_frames) + frames = plugin->buf_frames; plugin = plugin_next; } } else if (stream == SNDRV_PCM_STREAM_CAPTURE) { plugin = snd_pcm_plug_last(plug); while (plugin) { + if (frames > plugin->buf_frames) + frames = plugin->buf_frames; plugin_prev = plugin->prev; if (plugin->src_frames) { frames = plugin->src_frames(plugin, frames); -- 2.20.1