From: walter harms <wharms@bfs.de>
To: Takashi Iwai <tiwai@suse.de>
Cc: alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org,
Dan Carpenter <error27@gmail.com>
Subject: Re: [patch] sound/oss: potential integer overflow
Date: Wed, 08 Sep 2010 09:50:20 +0000 [thread overview]
Message-ID: <4C875C5C.8080608@bfs.de> (raw)
In-Reply-To: <s5h39tkvfez.wl%tiwai@suse.de>
Takashi Iwai schrieb:
> At Wed, 8 Sep 2010 09:26:32 +0200,
> Dan Carpenter wrote:
>> We don't want "pre_event_timeout" to be negative because that would
>> result in a stack traces in dmesg when we schedule a negative timeout.
>> In the original code "HZ * val" could overflow so I just moved the
>> check for negative below the multiply.
>
> This would bring another side-effect. When a value like 0x80001234
> is passed, this would result in a positive value in turn.
> We need additional check like below.
>
>
> thanks,
>
> Takashi
>
> ---
> diff --git a/sound/core/seq/oss/seq_oss_ioctl.c b/sound/core/seq/oss/seq_oss_ioctl.c
> index 5ac701c..b2e0789 100644
> --- a/sound/core/seq/oss/seq_oss_ioctl.c
> +++ b/sound/core/seq/oss/seq_oss_ioctl.c
> @@ -191,10 +191,13 @@ snd_seq_oss_ioctl(struct seq_oss_devinfo *dp, unsigned int cmd, unsigned long ca
> return 0;
> if (get_user(val, p))
> return -EFAULT;
> - if (val <= 0)
> - val = -1;
> - else
> + if (val < 0)
> + val = 0;
> + else {
> val = (HZ * val) / 10;
> + if (val < 0) /* check overflow */
> + val = 0;
> + }
> dp->readq->pre_event_timeout = val;
> return put_user(val, p) ? -EFAULT : 0;
>
> diff --git a/sound/oss/midibuf.c b/sound/oss/midibuf.c
> index 782b3b8..b8da210 100644
> --- a/sound/oss/midibuf.c
> +++ b/sound/oss/midibuf.c
> @@ -382,7 +382,11 @@ int MIDIbuf_ioctl(int dev, struct file *file,
> return -EFAULT;
> if (val < 0)
> val = 0;
> - val = (HZ * val) / 10;
> + else {
> + val = (HZ * val) / 10;
> + if (val < 0) /* check overflow */
> + val = 0;
> + }
> parms[dev].prech_timeout = val;
> return put_user(val, (int __user *)arg);
>
> diff --git a/sound/oss/sequencer.c b/sound/oss/sequencer.c
> index e85789e..f579210 100644
> --- a/sound/oss/sequencer.c
> +++ b/sound/oss/sequencer.c
> @@ -1509,7 +1509,11 @@ int sequencer_ioctl(int dev, struct file *file, unsigned int cmd, void __user *a
> return -EFAULT;
> if (val < 0)
> val = 0;
> - val = (HZ * val) / 10;
> + else {
> + val = (HZ * val) / 10;
> + if (val < 0) /* check overflow */
> + val = 0;
> + }
> pre_event_timeout = val;
> break;
>
> --
Perhaps a recalc_val() is here better ? That would avoid duplication
and make sure that they behave equal.
(see: > - if (val <= 0)
> - val = -1;
)
int recalc_val(int hz, int val)
{
if (val < 0)
return 0
val = (hz * val) / 10;
if (val < 0)
return 0
return val;
}
just my 2 cents,
not a tested patch.
re,
wh
prev parent reply other threads:[~2010-09-08 9:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-08 7:26 [patch] sound/oss: potential integer overflow Dan Carpenter
2010-09-08 7:54 ` Takashi Iwai
2010-09-08 9:50 ` walter harms [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C875C5C.8080608@bfs.de \
--to=wharms@bfs.de \
--cc=alsa-devel@alsa-project.org \
--cc=error27@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox