[patch] ALSA: compress: fix an integer overflow check

All of lore.kernel.org
 help / color / mirror / Atom feed

* [patch] ALSA: compress: fix an integer overflow check
@ 2014-07-16  6:37 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-07-16  6:37 UTC (permalink / raw)
  To: Vinod Koul; +Cc: Jaroslav Kysela, Takashi Iwai, alsa-devel, kernel-janitors

I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
The other option would be to declare buffer_size as size_t instead of
an unsigned int.  This feels like a safer fix though.

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 7403f34..89028fa 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
 {
 	/* first let's check the buffer parameter's */
 	if (params->buffer.fragment_size == 0 ||
-			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
 		return -EINVAL;
 
 	/* now codec parameters */

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [patch] ALSA: compress: fix an integer overflow check
@ 2014-07-16  6:37 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-07-16  6:37 UTC (permalink / raw)
  To: Vinod Koul; +Cc: Jaroslav Kysela, Takashi Iwai, alsa-devel, kernel-janitors

I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
The other option would be to declare buffer_size as size_t instead of
an unsigned int.  This feels like a safer fix though.

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 7403f34..89028fa 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
 {
 	/* first let's check the buffer parameter's */
 	if (params->buffer.fragment_size = 0 ||
-			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
 		return -EINVAL;
 
 	/* now codec parameters */

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [patch] ALSA: compress: fix an integer overflow check
  2014-07-16  6:37 ` Dan Carpenter
@ 2014-07-16 14:34   ` Takashi Iwai
  -1 siblings, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2014-07-16 14:34 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Vinod Koul, Jaroslav Kysela, alsa-devel, kernel-janitors

At Wed, 16 Jul 2014 09:37:04 +0300,
Dan Carpenter wrote:
> 
> I previously added an integer overflow check here but looking at it now,
> it's still buggy.
> 
> The bug happens in snd_compr_allocate_buffer().  We multiply
> ".fragments" and ".fragment_size" and that doesn't overflow but then we
> save it in an unsigned int so it truncates the high bits away and we
> allocate a smaller than expected size.
> 
> Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> The other option would be to declare buffer_size as size_t instead of
> an unsigned int.  This feels like a safer fix though.

Agreed, I took the patch now as is.  Thanks.


Takashi

> 
> diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
> index 7403f34..89028fa 100644
> --- a/sound/core/compress_offload.c
> +++ b/sound/core/compress_offload.c
> @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
>  {
>  	/* first let's check the buffer parameter's */
>  	if (params->buffer.fragment_size == 0 ||
> -			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
> +	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
>  		return -EINVAL;
>  
>  	/* now codec parameters */
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [patch] ALSA: compress: fix an integer overflow check
@ 2014-07-16 14:34   ` Takashi Iwai
  0 siblings, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2014-07-16 14:34 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: Vinod Koul, Jaroslav Kysela, alsa-devel, kernel-janitors

At Wed, 16 Jul 2014 09:37:04 +0300,
Dan Carpenter wrote:
> 
> I previously added an integer overflow check here but looking at it now,
> it's still buggy.
> 
> The bug happens in snd_compr_allocate_buffer().  We multiply
> ".fragments" and ".fragment_size" and that doesn't overflow but then we
> save it in an unsigned int so it truncates the high bits away and we
> allocate a smaller than expected size.
> 
> Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> The other option would be to declare buffer_size as size_t instead of
> an unsigned int.  This feels like a safer fix though.

Agreed, I took the patch now as is.  Thanks.


Takashi

> 
> diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
> index 7403f34..89028fa 100644
> --- a/sound/core/compress_offload.c
> +++ b/sound/core/compress_offload.c
> @@ -491,7 +491,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
>  {
>  	/* first let's check the buffer parameter's */
>  	if (params->buffer.fragment_size = 0 ||
> -			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
> +	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
>  		return -EINVAL;
>  
>  	/* now codec parameters */
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-07-16 14:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-16  6:37 [patch] ALSA: compress: fix an integer overflow check Dan Carpenter
2014-07-16  6:37 ` Dan Carpenter
2014-07-16 14:34 ` Takashi Iwai
2014-07-16 14:34   ` Takashi Iwai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.