From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1D210C43334 for ; Tue, 14 Jun 2022 10:50:42 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 18E85177E; Tue, 14 Jun 2022 12:49:50 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 18E85177E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1655203840; bh=6tlquX1a49B+CUlXKRfOB67CS0ET2f/peDg0gjMoTW8=; h=Date:From:To:Subject:In-Reply-To:References:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=spBXRUMnW0hLjAMCutlYCwIOXnz9CtEDFtTWijTkYA2jVhS9Whzhk7WPyGZa1CUy2 J62EIUxCAEdTyvdXfRiQGaHhVRKzy9x9l3pOCp/bcthqjQWNmETL+N1C6NzN7Q2+Bw y3Jw5lIRJigSDrtVpWhcx5RjebLf7+6pYPdfzcxk= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id B35A9F80137; Tue, 14 Jun 2022 12:49:49 +0200 (CEST) Received: by alsa1.perex.cz (Postfix, from userid 50401) id D4CBDF800D8; Tue, 14 Jun 2022 12:49:47 +0200 (CEST) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id C8F30F800D8 for ; Tue, 14 Jun 2022 12:49:39 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz C8F30F800D8 Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="wikKS2Wh"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="9ohBsH8u" Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 321F821A4A; Tue, 14 Jun 2022 10:49:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1655203779; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BRrQFXdCbyVpl82DrmdE8Gz3NAbhN9s8qRhd/Zc1x14=; b=wikKS2WhWNH+VhmBbMHeWIzW+yoxaLMy0arjW2uaxUr7m6mQ5oIJwSxO1oNnktJQKweC0p X5ylPzAwvO3l81eNIAoJ9TtjqIJBDSYObiFapp6k+DUBMW0kuvu0GJOPF0Q5zkRF2qFw+N xjxeEVGKG6g+k+zZO6sybp5/yslZPTs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1655203779; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BRrQFXdCbyVpl82DrmdE8Gz3NAbhN9s8qRhd/Zc1x14=; b=9ohBsH8uzbnz/w94dMmwRbPZKJfCUXyTdAVHntYO+Ega88dqMIEIAW+sNqGz9l+/wIPN7M jmjtml0FK2oOMiDw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 1782B1361C; Tue, 14 Jun 2022 10:49:39 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 18lkBcNnqGLuXwAAMHmgww (envelope-from ); Tue, 14 Jun 2022 10:49:39 +0000 Date: Tue, 14 Jun 2022 12:49:38 +0200 Message-ID: <87y1xzplj1.wl-tiwai@suse.de> From: Takashi Iwai To: "Fabio M. De Francesco" Subject: Re: [PATCH] ALSA: pcm: Test for "silence" field in struct "pcm_format_data" In-Reply-To: <2245197.ElGaqSPkdT@opensuse> References: <20220409012655.9399-1-fmdefrancesco@gmail.com> <20220614095851.GA4199@lxhi-065> <2245197.ElGaqSPkdT@opensuse> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: alsa-devel@alsa-project.org, Eugeniu Rosca , linux-kernel@vger.kernel.org, Takashi Iwai , syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com, Mark Brown , naveenkumar.sunkari@in.bosch.com, Eugeniu Rosca X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" On Tue, 14 Jun 2022 12:43:16 +0200, Fabio M. De Francesco wrote: > > On marted́ 14 giugno 2022 11:58:51 CEST Eugeniu Rosca wrote: > > Hello Fabio, hello All, > > > > On Sa, Apr 09, 2022 at 03:26:55 +0200, Fabio M. De Francesco wrote: > > > Syzbot reports "KASAN: null-ptr-deref Write in > > > snd_pcm_format_set_silence".[1] > > > > > > It is due to missing validation of the "silence" field of struct > > > "pcm_format_data" in "pcm_formats" array. > > > > > > Add a test for valid "pat" and, if it is not so, return -EINVAL. > > > > > > [1] https://lore.kernel.org/lkml/ > 000000000000d188ef05dc2c7279@google.com/ > > > > > > Reported-and-tested-by: > syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com > > > Signed-off-by: Fabio M. De Francesco > > > --- > > > > > > I wasn't able to figure out the commit for the "Fixes:" tag. If this > patch > > > is good, can someone please help with providing this missing > information? > > > > > > sound/core/pcm_misc.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/sound/core/pcm_misc.c b/sound/core/pcm_misc.c > > > index 4866aed97aac..5588b6a1ee8b 100644 > > > --- a/sound/core/pcm_misc.c > > > +++ b/sound/core/pcm_misc.c > > > @@ -433,7 +433,7 @@ int snd_pcm_format_set_silence(snd_pcm_format_t > format, void *data, unsigned int > > > return 0; > > > width = pcm_formats[(INT)format].phys; /* physical width */ > > > pat = pcm_formats[(INT)format].silence; > > > - if (! width) > > > + if (!width || !pat) > > > return -EINVAL; > > > /* signed or 1 byte data */ > > > if (pcm_formats[(INT)format].signd == 1 || width <= 8) { > > > > JFYI, PVS-Studio 7.19 reports: > > > > sound/core/pcm_misc.c 409 warn V560 A part of > conditional expression is always false: !pat. > > Sorry, I assumed (wrongly!) that when we have > > static const struct pcm_format_data > pcm_formats[(INT)SNDRV_PCM_FORMAT_LAST+1] = { > [SNDRV_PCM_FORMAT_S8] = { > .width = 8, .phys = 8, .le = -1, .signd = 1, > .silence = {}, > }, > [snip] > /* FIXME: the following two formats are not defined properly yet > */ > [SNDRV_PCM_FORMAT_MPEG] = { > .le = -1, .signd = -1, > }, > [SNDRV_PCM_FORMAT_GSM] = { > .le = -1, .signd = -1, > }, > > pointer "silence", and then "pat", must be NULL. Oh right, those are missing ones. I haven't realized that those formats are allowed by PCM OSS layer. Practically seen, those formats have never been used in reality, and we may consider dropping them completely to plug such holes... Takashi