From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5793BC2D0BF for ; Mon, 16 Dec 2019 18:47:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2C10A206A5 for ; Mon, 16 Dec 2019 18:47:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576522038; bh=YOOKKu7KZKalCYc9fcrbvluf+Q6hWobR9h7/kUaryYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=m69b9kuJJH73ix2WgDIb9cFceJoY3rRoTMDX3TV5qitgXUYmaNXrMoBfjke2C8Ix3 Lwz5TcdRMjvhBcq3H/75xMBM/P1m82zPUJ4A5/mFthwiwE56QkULxqyP8gY5Kds8vc oIwc12Asyo1PEUtcP01DJWqBAjDQOGGCflAF/m/s= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727858AbfLPRzb (ORCPT ); Mon, 16 Dec 2019 12:55:31 -0500 Received: from mail.kernel.org ([198.145.29.99]:52676 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728025AbfLPRz2 (ORCPT ); Mon, 16 Dec 2019 12:55:28 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4622820663; Mon, 16 Dec 2019 17:55:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576518927; bh=YOOKKu7KZKalCYc9fcrbvluf+Q6hWobR9h7/kUaryYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=x+g/5iGxQ5raqEPv6wOzQGp877Zdxtm9LVSh1szIq2hgODJRz/5qctVfZnQIaEjkh hT5fIG2h8EzaCfLroWGSVAe/nPgJ8Yy/P1brFtwuDhgmA1pQXzPoDl4cgILr45bZhb ScNLfaklev847MN1TSk5un/+wMGkN4RJpQ6vq4EM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.14 124/267] ALSA: pcm: oss: Avoid potential buffer overflows Date: Mon, 16 Dec 2019 18:47:30 +0100 Message-Id: <20191216174903.510811312@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191216174848.701533383@linuxfoundation.org> References: <20191216174848.701533383@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. syzkaller reported an invalid access in PCM OSS read, and this seems to be an overflow of the internal buffer allocated for a plugin. Since the rate plugin adjusts its transfer size dynamically, the calculation for the chained plugin might be bigger than the given buffer size in some extreme cases, which lead to such an buffer overflow as caught by KASAN. Fix it by limiting the max transfer size properly by checking against the destination size in each plugin transfer callback. Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/oss/linear.c | 2 ++ sound/core/oss/mulaw.c | 2 ++ sound/core/oss/route.c | 2 ++ 3 files changed, 6 insertions(+) --- a/sound/core/oss/linear.c +++ b/sound/core/oss/linear.c @@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer } } #endif + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; convert(plugin, src_channels, dst_channels, frames); return frames; } --- a/sound/core/oss/mulaw.c +++ b/sound/core/oss/mulaw.c @@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer( } } #endif + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; data = (struct mulaw_priv *)plugin->extra_data; data->func(plugin, src_channels, dst_channels, frames); return frames; --- a/sound/core/oss/route.c +++ b/sound/core/oss/route.c @@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer( return -ENXIO; if (frames == 0) return 0; + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; nsrcs = plugin->src_format.channels; ndsts = plugin->dst_format.channels;