iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6ab55ec0a9
linux/sound/core
History
Zheyu Ma 6ab55ec0a9 ALSA: control: Fix an out-of-bounds bug in get_ctl_id_hash() 
Since the user can control the arguments provided to the kernel by the
ioctl() system call, an out-of-bounds bug occurs when the 'id->name'
provided by the user does not end with '\0'.

The following log can reveal it:

[    10.002313] BUG: KASAN: stack-out-of-bounds in snd_ctl_find_id+0x36c/0x3a0
[    10.002895] Read of size 1 at addr ffff888109f5fe28 by task snd/439
[    10.004934] Call Trace:
[    10.007140]  snd_ctl_find_id+0x36c/0x3a0
[    10.007489]  snd_ctl_ioctl+0x6cf/0x10e0

Fix this by checking the bound of 'id->name' in the loop.

Fixes: c27e1efb61 ("ALSA: control: Use xarray for faster lookups")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Link: https://lore.kernel.org/r/20220824081654.3767739-1-zheyuma97@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2022-08-24 11:41:53 +02:00
..
oss Merge branch 'for-next' into for-linus 2022-03-21 16:18:34 +01:00
seq ALSA: seq: Fix data-race at module auto-loading 2022-08-24 07:59:06 +02:00
compress_offload.c ALSA: compress: Fix kernel doc warnings 2022-07-13 13:42:36 +02:00
control_compat.c x86: Remove toolchain check for X32 ABI capability 2022-03-15 10:32:48 +01:00
control_led.c ALSA: control-led: Replace sprintf() with sysfs_emit() 2022-08-02 16:03:43 +02:00
control.c ALSA: control: Fix an out-of-bounds bug in get_ctl_id_hash() 2022-08-24 11:41:53 +02:00
ctljack.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
device.c ALSA: core: Fix missing return value comments for kernel docs 2022-07-13 13:42:38 +02:00
hrtimer.c ALSA: timer: Replace tasklet with work 2020-09-09 18:32:52 +02:00
hwdep_compat.c ALSA: compat_ioctl: avoid compat_alloc_user_space 2020-09-21 10:37:07 +02:00
hwdep.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
info_oss.c ALSA: oss: remove useless NULL check before kfree 2021-12-06 10:08:13 +01:00
info.c ALSA: info: Fix llseek return value when using callback 2022-08-17 15:13:30 +02:00
init.c ALSA: core: Replace scnprintf() with sysfs_emit() 2022-08-02 16:03:45 +02:00
isadma.c sound updates for 6.0-rc1 2022-08-06 10:19:51 -07:00
jack.c ALSA: jack: Access input_dev under mutex 2022-04-12 12:19:05 +02:00
Kconfig ALSA: control: Add input validation 2022-06-15 07:45:28 +02:00
Makefile m68k: coldfire: drop ISA_DMA_API support 2022-05-16 13:18:30 +10:00
memalloc_local.h ALSA: memalloc: Support for non-contiguous page allocation 2021-10-18 13:32:10 +02:00
memalloc.c ALSA: memalloc: Revive x86-specific WC page allocations again 2022-08-22 13:01:27 +02:00
memory.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
misc.c ALSA: core: Add async signal helpers 2022-07-29 12:57:10 +02:00
pcm_compat.c x86: Remove toolchain check for X32 ABI capability 2022-03-15 10:32:48 +01:00
pcm_dmaengine.c ALSA: dmaengine: Fix missing return value comments for kernel docs 2022-07-13 13:42:35 +02:00
pcm_drm_eld.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pcm_iec958.c ALSA: iec958: Split status creation and fill 2021-06-08 17:05:41 +02:00
pcm_lib.c ALSA: pcm: Use deferred fasync helper 2022-07-29 12:57:11 +02:00
pcm_local.h ALSA: memalloc: Support for non-contiguous page allocation 2021-10-18 13:32:10 +02:00
pcm_memory.c ALSA: pcm: Fix missing return value comments for kernel docs 2022-07-13 13:42:34 +02:00
pcm_misc.c ALSA: pcm: Test for "silence" field in struct "pcm_format_data" 2022-04-11 09:27:56 +02:00
pcm_native.c ALSA: pcm: Use deferred fasync helper 2022-07-29 12:57:11 +02:00
pcm_param_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm_timer.c ALSA: timer: Constify snd_timer_hardware definitions 2020-01-03 09:24:07 +01:00
pcm_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm.c ALSA: pcm: Replace sprintf() with sysfs_emit() 2022-08-02 16:03:46 +02:00
rawmidi_compat.c ALSA: rawmidi: Add framing mode 2021-05-17 16:02:44 +02:00
rawmidi.c ALSA: rawmidi: Take buffer refcount while draining output 2022-06-20 09:36:04 +02:00
seq_device.c ALSA: seq: Fix a potential UAF by wrong private_free call order 2021-09-30 14:13:22 +02:00
sound_oss.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
sound.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
timer_compat.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
timer.c ALSA: timer: Use deferred fasync helper 2022-07-29 12:57:11 +02:00
vmaster.c ALSA: core: Fix missing return value comments for kernel docs 2022-07-13 13:42:38 +02:00