From: Clemens Ladisch <clemens@ladisch.de>
To: Dan Carpenter <error27@gmail.com>
Cc: Takashi Iwai <tiwai@suse.de>,
alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org
Subject: Re: bug report: using snd_BUG_ON() instead of WARN_ON()
Date: Fri, 19 Feb 2010 18:41:22 +0100 [thread overview]
Message-ID: <4B7ECD42.5050403@ladisch.de> (raw)
In-Reply-To: <20100218091936.GA5621@bicker>
Dan Carpenter wrote:
> Smatch found a couple places try use the return value for snd_BUG_ON()
> without realizing it's always zero
snd_BUG_ON() returns the return value of WARN() which is the value of the
condition.
> or that it can be defined away entirely under certain configs.
This is the point of this debugging macro.
> sound/drivers/opl3/opl3_midi.c +652 snd_opl3_kill_voice(34) warn: buffer overflow 'opl3->voices' 18 <= 20
>
> opl3_midi.c checks the range with snd_BUG_ON() and then adds 3 so
> it possibly goes out of bounds. I'm not sure the situation there.
A four-operator sound needs two voices with that offset.
opl3_get_voice() takes care of allocating appropriate voices for that,
but this case is not checked with snd_BUG_ON(). It would be possible to
add snd_BUG_ON(voice+3) into the if().
> sound/core/seq/seq_midi.c +403 snd_seq_midisynth_register_port(126) error: buffer overflow 'client->ports_per_device' 8 <= 8
> sound/core/seq/seq_midi.c +404 snd_seq_midisynth_register_port(127) error: buffer overflow 'client->ports' 8 <= 8
There is a snd_BUG_ON(device>=8) in line 291, so device can be at most 7.
> sound/core/info_oss.c +52 snd_oss_info_register(10) error: buffer overflow 'snd_sndstat_strings[num]' 6 <= 6
> sound/core/info_oss.c +52 snd_oss_info_register(10) error: buffer overflow 'snd_sndstat_strings' 32 <= 32
> sound/core/info_oss.c +63 snd_oss_info_register(21) error: buffer overflow 'snd_sndstat_strings[num]' 6 <= 6
> sound/core/info_oss.c +63 snd_oss_info_register(21) error: buffer overflow 'snd_sndstat_strings' 32 <= 32
> sound/pci/cs46xx/dsp_spos_scb_lib.c +1497 cs46xx_dsp_destroy_pcm_channel(28) error: buffer overflow 'ins->src_scb_slots' 14 <= 14
Same type of false positive; it looks as if >= in snd_BUG_ON() is not
handled correctly.
Regards,
Clemens
next prev parent reply other threads:[~2010-02-19 17:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-18 9:19 bug report: using snd_BUG_ON() instead of WARN_ON() Dan Carpenter
2010-02-19 17:41 ` Clemens Ladisch [this message]
2010-02-19 19:53 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B7ECD42.5050403@ladisch.de \
--to=clemens@ladisch.de \
--cc=alsa-devel@alsa-project.org \
--cc=error27@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).