Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-26 14:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
efb6402c3c
linux/sound/core
History
Takashi Iwai efb6402c3c ALSA: oss: Fix PCM OSS buffer allocation overflow 
We've got syzbot reports hitting INT_MAX overflow at vmalloc()
allocation that is called from snd_pcm_plug_alloc().  Although we
apply the restrictions to input parameters, it's based only on the
hw_params of the underlying PCM device.  Since the PCM OSS layer
allocates a temporary buffer for the data conversion, the size may
become unexpectedly large when more channels or higher rates is given;
in the reported case, it went over INT_MAX, hence it hits WARN_ON().

This patch is an attempt to avoid such an overflow and an allocation
for too large buffers.  First off, it adds the limit of 1MB as the
upper bound for period bytes.  This must be large enough for all use
cases, and we really don't want to handle a larger temporary buffer
than this size.  The size check is performed at two places, where the
original period bytes is calculated and where the plugin buffer size
is calculated.

In addition, the driver uses array_size() and array3_size() for
multiplications to catch overflows for the converted period size and
buffer bytes.

Reported-by: syzbot+72732c532ac1454eeee9@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/00000000000085b1b305da5a66f3@google.com
Link: https://lore.kernel.org/r/20220318082036.29699-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2022-03-18 14:01:07 +01:00
..
oss ALSA: oss: Fix PCM OSS buffer allocation overflow 2022-03-18 14:01:07 +01:00
seq ALSA: seq: virmidi: Add a drain operation 2022-01-06 16:08:07 +01:00
compress_offload.c ALSA: compress: Initialize mutex in snd_compress_new() 2021-07-15 10:22:38 +02:00
control_compat.c ALSA: ctl: Fix copy of updated id with element read/write 2021-12-02 16:41:07 +01:00
control_led.c ALSA: led: Use restricted type for iface assignment 2021-11-23 18:12:05 +01:00
control.c ALSA: control: Minor optimization for SNDRV_CTL_IOCTL_POWER_STATE 2021-05-25 08:49:06 +02:00
ctljack.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
device.c ALSA: core: Add snd_device_get_state() helper 2020-03-23 18:09:19 +01:00
hrtimer.c ALSA: timer: Replace tasklet with work 2020-09-09 18:32:52 +02:00
hwdep_compat.c ALSA: compat_ioctl: avoid compat_alloc_user_space 2020-09-21 10:37:07 +02:00
hwdep.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
info_oss.c ALSA: oss: remove useless NULL check before kfree 2021-12-06 10:08:13 +01:00
info.c proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
init.c ALSA: core: Simplify snd_power_ref_and_wait() with the standard macro 2022-01-19 17:26:04 +01:00
isadma.c ALSA: core: Add device-managed request_dma() 2021-07-19 16:16:34 +02:00
jack.c Merge branch 'for-next' into for-linus 2022-01-05 15:38:34 +01:00
Kconfig ALSA: control - add generic LED trigger module as the new control layer 2021-03-30 15:33:58 +02:00
Makefile ALSA: memalloc: Unify x86 SG-buffer handling (take#3) 2021-11-16 08:34:29 +01:00
memalloc_local.h ALSA: memalloc: Support for non-contiguous page allocation 2021-10-18 13:32:10 +02:00
memalloc.c ALSA: memalloc: invalidate SG pages before sync 2022-02-10 13:36:53 +01:00
memory.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
misc.c ALSA: core: Fix SSID quirk lookup for subvendor=0 2022-01-17 09:59:32 +01:00
pcm_compat.c ALSA: memalloc: Support for non-contiguous page allocation 2021-10-18 13:32:10 +02:00
pcm_dmaengine.c ASoC: dai_dma: remove slave_id field 2021-12-17 11:23:56 +05:30
pcm_drm_eld.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pcm_iec958.c ALSA: iec958: Split status creation and fill 2021-06-08 17:05:41 +02:00
pcm_lib.c ALSA: pcm: introduce INFO_NO_REWINDS flag 2021-11-24 12:57:18 +00:00
pcm_local.h ALSA: memalloc: Support for non-contiguous page allocation 2021-10-18 13:32:10 +02:00
pcm_memory.c ALSA: memalloc: Support for non-contiguous page allocation 2021-10-18 13:32:10 +02:00
pcm_misc.c ALSA: pcm: Fix assignment in if condition 2021-06-09 17:30:24 +02:00
pcm_native.c ASoC: soc-pcm: Fix DPCM lockdep warning due to nested stream locks 2022-01-28 15:59:16 +00:00
pcm_param_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm_timer.c ALSA: timer: Constify snd_timer_hardware definitions 2020-01-03 09:24:07 +01:00
pcm_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm.c ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls 2021-11-16 08:13:55 +01:00
rawmidi_compat.c ALSA: rawmidi: Add framing mode 2021-05-17 16:02:44 +02:00
rawmidi.c ALSA: rawmidi - fix the uninitalized user_pversion 2021-12-22 20:18:27 +01:00
seq_device.c ALSA: seq: Fix a potential UAF by wrong private_free call order 2021-09-30 14:13:22 +02:00
sound_oss.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
sound.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
timer_compat.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
timer.c ALSA: timer: Unconditionally unlink slave instances, too 2021-11-05 11:27:27 +01:00
vmaster.c ALSA: Replace the word "slave" in vmaster API 2020-07-20 10:10:47 +02:00