From: Dan Carpenter <dan.carpenter@oracle.com>
To: Takashi Iwai <tiwai@suse.de>
Cc: Vinod Koul <vinod.koul@linux.intel.com>,
alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
Jesper Juhl <jj@chaosbits.net>,
Namarta Kohli <namartax.kohli@intel.com>
Subject: Re: [patch] ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()
Date: Thu, 6 Sep 2012 07:59:13 -0700 [thread overview]
Message-ID: <20120906145912.GK19410@mwanda> (raw)
In-Reply-To: <s5hwr08ziyx.wl%tiwai@suse.de>
On Wed, Sep 05, 2012 at 03:40:06PM +0200, Takashi Iwai wrote:
> At Wed, 5 Sep 2012 15:32:18 +0300,
> Dan Carpenter wrote:
> >
> > These are 32 bit values that come from the user, we need to check for
> > integer overflows or we could end up allocating a smaller buffer than
> > expected.
>
> The buffer size here is supposed to be fairly small that kmalloc can
> handle. So, the overflow check is good, but in practice it'd return
> -ENOMEM.
My concern was the security implications from an integer wrap. If
we chose ->fragment_size = 256 and ->fragments = 0x80000001 then the
size of the final buffer would only be 256 bytes. The allocation
would succeed and it might lead to memory corruption later on. I
haven't followed it through to verify but adding a sanity check is a
good idea. It should probably be pushed to -stable as well.
> Of course, it's fine to put the sanity check, but such
> checks could be better peformed in snd_compr_set_params() before
> calling the allocation, I think.
To me it looks sort of weird to do the checking there. Also if we
add more callers we would have to add the checking to all the
callers as well. I can do that if you still prefer.
regards,
dan carpenter
>
>
> thanks,
>
> Takashi
>
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
> > index ec2118d..5a733e7 100644
> > --- a/sound/core/compress_offload.c
> > +++ b/sound/core/compress_offload.c
> > @@ -409,6 +409,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
> > unsigned int buffer_size;
> > void *buffer;
> >
> > + if (params->buffer.fragment_size == 0 ||
> > + params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
> > + return -EINVAL;
> > +
> > buffer_size = params->buffer.fragment_size * params->buffer.fragments;
> > if (stream->ops->copy) {
> > buffer = NULL;
> >
next prev parent reply other threads:[~2012-09-06 14:59 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-05 12:32 [patch] ALSA: compress_core: integer overflow in snd_compr_allocate_buffer() Dan Carpenter
2012-09-05 13:40 ` Takashi Iwai
2012-09-06 14:59 ` Dan Carpenter [this message]
2012-09-06 15:19 ` Takashi Iwai
2012-09-14 9:06 ` Takashi Iwai
2012-09-14 9:24 ` Vinod Koul
2012-09-14 9:28 ` Vinod Koul
2012-09-14 9:45 ` Takashi Iwai
2012-09-14 9:49 ` Vinod Koul
2012-09-14 10:00 ` Takashi Iwai
2012-09-14 9:35 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120906145912.GK19410@mwanda \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=jj@chaosbits.net \
--cc=kernel-janitors@vger.kernel.org \
--cc=namartax.kohli@intel.com \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=tiwai@suse.de \
--cc=vinod.koul@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).