From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 5.10 15/16] ALSA: pcm: oss: Fix potential out-of-bounds shift
Date: Sat, 19 Dec 2020 13:57:22 +0100 [thread overview]
Message-ID: <20201219125339.822396243@linuxfoundation.org> (raw)
In-Reply-To: <20201219125339.066340030@linuxfoundation.org>
From: Takashi Iwai <tiwai@suse.de>
commit 175b8d89fe292796811fdee87fa39799a5b6b87a upstream.
syzbot spotted a potential out-of-bounds shift in the PCM OSS layer
where it calculates the buffer size with the arbitrary shift value
given via an ioctl.
Add a range check for avoiding the undefined behavior.
As the value can be treated by a signed integer, the max shift should
be 30.
Reported-by: syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20201209084552.17109-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/oss/pcm_oss.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1935,11 +1935,15 @@ static int snd_pcm_oss_set_subdivide(str
static int snd_pcm_oss_set_fragment1(struct snd_pcm_substream *substream, unsigned int val)
{
struct snd_pcm_runtime *runtime;
+ int fragshift;
runtime = substream->runtime;
if (runtime->oss.subdivision || runtime->oss.fragshift)
return -EINVAL;
- runtime->oss.fragshift = val & 0xffff;
+ fragshift = val & 0xffff;
+ if (fragshift >= 31)
+ return -EINVAL;
+ runtime->oss.fragshift = fragshift;
runtime->oss.maxfrags = (val >> 16) & 0xffff;
if (runtime->oss.fragshift < 4) /* < 16 */
runtime->oss.fragshift = 4;
next prev parent reply other threads:[~2020-12-19 12:58 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-19 12:57 [PATCH 5.10 00/16] 5.10.2-rc1 review Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 01/16] ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info() Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 02/16] ktest.pl: If size of log is too big to email, email error message Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 03/16] ktest.pl: Fix the logic for truncating the size of the log file for email Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 04/16] USB: legotower: fix logical error in recent commit Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 05/16] USB: dummy-hcd: Fix uninitialized array use in init() Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 06/16] USB: add RESET_RESUME quirk for Snapscan 1212 Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 07/16] ALSA: usb-audio: Fix potential out-of-bounds shift Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 08/16] ALSA: usb-audio: Fix control access overflow errors from chmap Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 09/16] xhci: Give USB2 ports time to enter U3 in bus suspend Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 10/16] usb: xhci: Set quirk for XHCI_SG_TRB_CACHE_SIZE_QUIRK Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 11/16] xhci-pci: Allow host runtime PM as default for Intel Alpine Ridge LP Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 12/16] xhci-pci: Allow host runtime PM as default for Intel Maple Ridge xHCI Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 13/16] USB: UAS: introduce a quirk to set no_write_same Greg Kroah-Hartman
2020-12-19 12:57 ` [PATCH 5.10 14/16] USB: sisusbvga: Make console support depend on BROKEN Greg Kroah-Hartman
2020-12-19 12:57 ` Greg Kroah-Hartman [this message]
2020-12-19 12:57 ` [PATCH 5.10 16/16] serial: 8250_omap: Avoid FIFO corruption caused by MDR1 access Greg Kroah-Hartman
2020-12-19 21:20 ` [PATCH 5.10 00/16] 5.10.2-rc1 review Jeffrin Jose T
2020-12-19 21:50 ` Guenter Roeck
2020-12-21 12:59 ` Greg Kroah-Hartman
2020-12-20 3:17 ` Naresh Kamboju
2020-12-21 12:59 ` Greg Kroah-Hartman
2020-12-20 13:41 ` Jon Hunter
2020-12-21 13:00 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201219125339.822396243@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.