From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
To: alsa-devel@alsa-project.org
Cc: Takashi Iwai <tiwai@suse.de>, Jaroslav Kysela <perex@perex.cz>,
Arthur Marsh <arthur.marsh@internode.on.net>
Subject: [PATCH 08/18] ALSA: emu10k1: move patch loader assertions into low-level functions
Date: Mon, 1 Apr 2024 12:07:32 +0200 [thread overview]
Message-ID: <20240401100742.506001-9-oswald.buddenhagen@gmx.de> (raw)
In-Reply-To: <20240401100742.506001-1-oswald.buddenhagen@gmx.de>
Convert some checks in snd_emu10k1_sample_new() back into assertions (as
they were prior to da3cec35dd (ALSA: Kill snd_assert() in sound/pci/*,
2008-08-08)), and move them into the low-level memory access functions
they protect.
Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
---
Side note: this eliminates the memory leaks in the now gone error paths.
I don't think it was actually possible to trigger these even before the
foregoing cleanups. But if it were, it would allow a user with access to
the audio device a scope-limited DoS attack on it. This would be only a
very minor security hole, given that on modern systems it would merely
enable the current seat owner to be a nuisance to their successor, by
making a reboot necessary.
---
sound/pci/emu10k1/emu10k1_patch.c | 4 ----
sound/pci/emu10k1/memory.c | 6 ++++++
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/sound/pci/emu10k1/emu10k1_patch.c b/sound/pci/emu10k1/emu10k1_patch.c
index 47d69a0e44bc..55bb60d31fe4 100644
--- a/sound/pci/emu10k1/emu10k1_patch.c
+++ b/sound/pci/emu10k1/emu10k1_patch.c
@@ -65,17 +65,13 @@ snd_emu10k1_sample_new(struct snd_emux *rec, struct snd_sf_sample *sp,
size = BLANK_HEAD_SIZE;
if (! (sp->v.mode_flags & SNDRV_SFNT_SAMPLE_8BITS))
size *= 2;
- if (offset + size > blocksize)
- return -EINVAL;
snd_emu10k1_synth_bzero(emu, sp->block, offset, size);
offset += size;
/* copy provided samples */
size = sp->v.size;
if (! (sp->v.mode_flags & SNDRV_SFNT_SAMPLE_8BITS))
size *= 2;
- if (offset + size > blocksize)
- return -EINVAL;
if (snd_emu10k1_synth_copy_from_user(emu, sp->block, offset, data, size)) {
snd_emu10k1_synth_free(emu, sp->block);
sp->block = NULL;
diff --git a/sound/pci/emu10k1/memory.c b/sound/pci/emu10k1/memory.c
index 20b07117574b..fc9444404151 100644
--- a/sound/pci/emu10k1/memory.c
+++ b/sound/pci/emu10k1/memory.c
@@ -574,6 +574,9 @@ int snd_emu10k1_synth_bzero(struct snd_emu10k1 *emu, struct snd_util_memblk *blk
void *ptr;
struct snd_emu10k1_memblk *p = (struct snd_emu10k1_memblk *)blk;
+ if (snd_BUG_ON(offset + size > p->mem.size))
+ return -EFAULT;
+
offset += blk->offset & (PAGE_SIZE - 1);
end_offset = offset + size;
page = get_aligned_page(offset);
@@ -604,6 +607,9 @@ int snd_emu10k1_synth_copy_from_user(struct snd_emu10k1 *emu, struct snd_util_me
void *ptr;
struct snd_emu10k1_memblk *p = (struct snd_emu10k1_memblk *)blk;
+ if (snd_BUG_ON(offset + size > p->mem.size))
+ return -EFAULT;
+
offset += blk->offset & (PAGE_SIZE - 1);
end_offset = offset + size;
page = get_aligned_page(offset);
--
2.42.0.419.g70bf8a5751
next prev parent reply other threads:[~2024-04-01 10:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-01 10:07 [PATCH 00/18] ALSA: emu10k1 & emux: fixes related to wavetable playback Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 01/18] ALSA: emux: fix /proc teardown at module unload Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 02/18] ALSA: emux: prune unused parameter from snd_soundfont_load_guspatch() Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 03/18] ALSA: emux: fix validation of snd_emux.num_ports Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 04/18] ALSA: emux: fix init of patch_info.truesize in load_data() Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 05/18] ALSA: emu10k1: prune vestiges of SNDRV_SFNT_SAMPLE_{BIDIR,REVERSE}_LOOP support Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 06/18] ALSA: emux: centralize & improve patch info validation Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 07/18] ALSA: emux: improve patch ioctl data validation Oswald Buddenhagen
2024-04-01 10:07 ` Oswald Buddenhagen [this message]
2024-04-01 10:07 ` [PATCH 09/18] ALSA: emu10k1: fix sample signedness issues in wavetable loader Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 10/18] ALSA: emu10k1: fix playback of 8-bit wavetable samples Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 11/18] ALSA: emu10k1: make wavetable sample playback start position exact Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 12/18] ALSA: emu10k1: shrink blank space in front of wavetable samples Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 13/18] ALSA: emu10k1: merge conditions in patch loader Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 14/18] ALSA: emu10k1: fix wavetable offset recalculation Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 15/18] ALSA: emu10k1: de-duplicate size calculations for 16-bit samples Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 16/18] ALSA: emu10k1: improve cache behavior documentation Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 17/18] ALSA: emu10k1: fix playback of short wavetable samples Oswald Buddenhagen
2024-04-01 10:07 ` [PATCH 18/18] ALSA: emux: simplify snd_sf_list.callback handling Oswald Buddenhagen
2024-04-01 10:51 ` [PATCH 00/18] ALSA: emu10k1 & emux: fixes related to wavetable playback Takashi Iwai
2024-04-01 11:18 ` Oswald Buddenhagen
2024-04-01 11:44 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240401100742.506001-9-oswald.buddenhagen@gmx.de \
--to=oswald.buddenhagen@gmx.de \
--cc=alsa-devel@alsa-project.org \
--cc=arthur.marsh@internode.on.net \
--cc=perex@perex.cz \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox