From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
Daniil Dementev <d.dementev@ispras.ru>,
alsa-devel@alsa-project.org, Takashi Iwai <tiwai@suse.de>,
tiwai@suse.com, Alexey Khoroshilov <khoroshilov@ispras.ru>
Subject: [PATCH AUTOSEL 5.4 03/27] ALSA: usb-audio: US16x08: Move overflow check before array access
Date: Mon, 27 Jun 2022 22:23:49 -0400 [thread overview]
Message-ID: <20220628022413.596341-3-sashal@kernel.org> (raw)
In-Reply-To: <20220628022413.596341-1-sashal@kernel.org>
From: Daniil Dementev <d.dementev@ispras.ru>
[ Upstream commit 3ddbe35d9a2ebd4924d458e0246b4ba6c13bb456 ]
Buffer overflow could occur in the loop "while", due to accessing an
array element before checking the index.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Daniil Dementev <d.dementev@ispras.ru>
Reviewed-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Link: https://lore.kernel.org/r/20220610165732.2904-1-d.dementev@ispras.ru
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_us16x08.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c
index c6c834ac83ac..5e4aa1207c1b 100644
--- a/sound/usb/mixer_us16x08.c
+++ b/sound/usb/mixer_us16x08.c
@@ -637,10 +637,10 @@ static int snd_get_meter_comp_index(struct snd_us16x08_meter_store *store)
}
} else {
/* skip channels with no compressor active */
- while (!store->comp_store->val[
+ while (store->comp_index <= SND_US16X08_MAX_CHANNELS
+ && !store->comp_store->val[
COMP_STORE_IDX(SND_US16X08_ID_COMP_SWITCH)]
- [store->comp_index - 1]
- && store->comp_index <= SND_US16X08_MAX_CHANNELS) {
+ [store->comp_index - 1]) {
store->comp_index++;
}
ret = store->comp_index++;
--
2.35.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Daniil Dementev <d.dementev@ispras.ru>,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 5.4 03/27] ALSA: usb-audio: US16x08: Move overflow check before array access
Date: Mon, 27 Jun 2022 22:23:49 -0400 [thread overview]
Message-ID: <20220628022413.596341-3-sashal@kernel.org> (raw)
In-Reply-To: <20220628022413.596341-1-sashal@kernel.org>
From: Daniil Dementev <d.dementev@ispras.ru>
[ Upstream commit 3ddbe35d9a2ebd4924d458e0246b4ba6c13bb456 ]
Buffer overflow could occur in the loop "while", due to accessing an
array element before checking the index.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Daniil Dementev <d.dementev@ispras.ru>
Reviewed-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Link: https://lore.kernel.org/r/20220610165732.2904-1-d.dementev@ispras.ru
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_us16x08.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c
index c6c834ac83ac..5e4aa1207c1b 100644
--- a/sound/usb/mixer_us16x08.c
+++ b/sound/usb/mixer_us16x08.c
@@ -637,10 +637,10 @@ static int snd_get_meter_comp_index(struct snd_us16x08_meter_store *store)
}
} else {
/* skip channels with no compressor active */
- while (!store->comp_store->val[
+ while (store->comp_index <= SND_US16X08_MAX_CHANNELS
+ && !store->comp_store->val[
COMP_STORE_IDX(SND_US16X08_ID_COMP_SWITCH)]
- [store->comp_index - 1]
- && store->comp_index <= SND_US16X08_MAX_CHANNELS) {
+ [store->comp_index - 1]) {
store->comp_index++;
}
ret = store->comp_index++;
--
2.35.1
next prev parent reply other threads:[~2022-06-28 2:25 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-28 2:23 [PATCH AUTOSEL 5.4 01/27] spi: spi-cadence: Fix SPI CS gets toggling sporadically Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 02/27] spi: cadence: Detect transmit FIFO depth Sasha Levin
2022-06-28 2:23 ` Sasha Levin [this message]
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 03/27] ALSA: usb-audio: US16x08: Move overflow check before array access Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 04/27] drm/vc4: crtc: Use an union to store the page flip callback Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 05/27] drm/vc4: crtc: Move the BO handling out of common page-flip callback Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 06/27] ALSA: x86: intel_hdmi_audio: enable pm_runtime and set autosuspend delay Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 07/27] ALSA: x86: intel_hdmi_audio: use pm_runtime_resume_and_get() Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 08/27] hamradio: 6pack: fix array-index-out-of-bounds in decode_std_command() Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 09/27] drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in vxge-main.c Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 10/27] powerpc/prom_init: Fix build failure with GCC_PLUGIN_STRUCTLEAK_BYREF_ALL and KASAN Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 11/27] video: fbdev: skeletonfb: Fix syntax errors in comments Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 12/27] video: fbdev: intelfb: Use aperture size from pci_resource_len Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:23 ` [PATCH AUTOSEL 5.4 13/27] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write Sasha Levin
2022-06-28 2:23 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 14/27] video: fbdev: simplefb: Check before clk_put() not needed Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 15/27] btrfs: do not BUG_ON() on failure to migrate space when replacing extents Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 16/27] arch: mips: generic: Add missing of_node_put() in board-ranchu.c Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 17/27] mips: mti-malta: Fix refcount leak in malta-time.c Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 18/27] mips: ralink: Fix refcount leak in of.c Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 19/27] mips: lantiq: falcon: Fix refcount leak bug in sysctrl Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 20/27] mips: lantiq: xway: " Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 21/27] mips/pic32/pic32mzda: Fix refcount leak bugs Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 22/27] mips: lantiq: Add missing of_node_put() in irq.c Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 23/27] drm/sun4i: Add DMA mask and segment size Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 24/27] drm/sun4i: Return if frontend is not present Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 25/27] drm/amdgpu: Adjust logic around GTT size (v3) Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 26/27] nvme: add a bogus subsystem NQN quirk for Micron MTFDKBA2T0TFH Sasha Levin
2022-06-28 2:24 ` [PATCH AUTOSEL 5.4 27/27] arm: mach-spear: Add missing of_node_put() in time.c Sasha Levin
2022-06-28 2:24 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220628022413.596341-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=d.dementev@ispras.ru \
--cc=khoroshilov@ispras.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.