From: Takashi Iwai <tiwai@suse.de>
To: Kun Hu <huk23@m.fudan.edu.cn>
Cc: perex@perex.cz, tiwai@suse.com, linux-sound@vger.kernel.org,
linux-kernel@vger.kernel.org,
"jjtan24@m.fudan.edu.cn" <jjtan24@m.fudan.edu.cn>
Subject: Re: Bug: slab-out-of-bounds in snd_seq_oss_synth_sysex
Date: Sun, 29 Dec 2024 11:45:49 +0100 [thread overview]
Message-ID: <87ed1qydgi.wl-tiwai@suse.de> (raw)
In-Reply-To: <B1CA9370-9EFE-4854-B8F7-435E0B9276C6@m.fudan.edu.cn>
On Wed, 25 Dec 2024 06:37:47 +0100,
Kun Hu wrote:
>
> Hello,
>
> > BUG: KASAN: slab-out-of-bounds in snd_seq_oss_synth_sysex+0x5d1/0x6c0 sound/core/seq/oss/seq_oss_synth.c:516
>
> We further analyzed the issue at line 516 in ./sound/core/seq/oss/seq_oss_synth.c.
> The slab-out-of-bounds crash occurs in line 509, when sysex->len = 128. Specifically, the write operation to dest[0] accesses memory beyond the bounds of sysex->buf (128 byte).
> To resolve this issue, we suggest adding 6 lines of code to validate the legality of the address write to sysex->buf before entering the loop:
>
> if (sysex->len >= MAX_SYSEX_BUFLEN) {
> sysex->len = 0;
> sysex->skip = 1;
> return -EINVAL; /* Exit early if sysex->len is out of bounds */
> }
The only place incrementing sysex->len is that loop and it has already
the bounce check which resets sysex->len to 0. That is, the likely
reason of the buffer overflow is rather the racy calls of this
function.
If so, a potential fix would be rather to protect the concurrency,
e.g. a simplest form is something like below.
Could you check whether it addresses your problem?
thanks,
Takashi
-- 8< --
--- a/sound/core/seq/oss/seq_oss_synth.c
+++ b/sound/core/seq/oss/seq_oss_synth.c
@@ -66,6 +66,7 @@ static struct seq_oss_synth midi_synth_dev = {
};
static DEFINE_SPINLOCK(register_lock);
+static DEFINE_MUTEX(sysex_mutex);
/*
* prototypes
@@ -497,6 +498,7 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
if (!info)
return -ENXIO;
+ guard(mutex)(&sysex_mutex);
sysex = info->sysex;
if (sysex == NULL) {
sysex = kzalloc(sizeof(*sysex), GFP_KERNEL);
next prev parent reply other threads:[~2024-12-29 10:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-24 11:16 Bug: slab-out-of-bounds in snd_seq_oss_synth_sysex Kun Hu
2024-12-25 5:37 ` Kun Hu
2024-12-26 6:08 ` Kun Hu
2024-12-28 8:07 ` Kun Hu
2024-12-28 8:35 ` Takashi Iwai
2024-12-28 8:44 ` Kun Hu
2024-12-29 10:45 ` Takashi Iwai [this message]
2024-12-30 9:52 ` Kun Hu
[not found] ` <3326E7C2-1E4F-4F57-AAB5-065C20854F31@m.fudan.edu.cn>
2024-12-30 10:59 ` Takashi Iwai
2024-12-30 13:10 ` Kun Hu
2024-12-31 11:54 ` Takashi Iwai
2025-01-01 6:54 ` Kun Hu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ed1qydgi.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=huk23@m.fudan.edu.cn \
--cc=jjtan24@m.fudan.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=perex@perex.cz \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox