iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/sound/core
History
Zheyu Ma 6ab55ec0a9 ALSA: control: Fix an out-of-bounds bug in get_ctl_id_hash() 
Since the user can control the arguments provided to the kernel by the
ioctl() system call, an out-of-bounds bug occurs when the 'id->name'
provided by the user does not end with '\0'.

The following log can reveal it:

[    10.002313] BUG: KASAN: stack-out-of-bounds in snd_ctl_find_id+0x36c/0x3a0
[    10.002895] Read of size 1 at addr ffff888109f5fe28 by task snd/439
[    10.004934] Call Trace:
[    10.007140]  snd_ctl_find_id+0x36c/0x3a0
[    10.007489]  snd_ctl_ioctl+0x6cf/0x10e0

Fix this by checking the bound of 'id->name' in the loop.

Fixes: c27e1efb61c5 ("ALSA: control: Use xarray for faster lookups")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Link: https://lore.kernel.org/r/20220824081654.3767739-1-zheyuma97@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2022-08-24 11:41:53 +02:00
..
oss
Merge branch 'for-next' into for-linus
2022-03-21 16:18:34 +01:00
seq
ALSA: seq: Fix data-race at module auto-loading
2022-08-24 07:59:06 +02:00
compress_offload.c
ALSA: compress: Fix kernel doc warnings
2022-07-13 13:42:36 +02:00
control_compat.c
x86: Remove toolchain check for X32 ABI capability
2022-03-15 10:32:48 +01:00
control_led.c
ALSA: control-led: Replace sprintf() with sysfs_emit()
2022-08-02 16:03:43 +02:00
control.c
ALSA: control: Fix an out-of-bounds bug in get_ctl_id_hash()
2022-08-24 11:41:53 +02:00
ctljack.c
ALSA: Convert strlcpy to strscpy when return value is unused
2021-01-08 09:30:05 +01:00
device.c
ALSA: core: Fix missing return value comments for kernel docs
2022-07-13 13:42:38 +02:00
hrtimer.c
ALSA: timer: Replace tasklet with work
2020-09-09 18:32:52 +02:00
hwdep_compat.c
ALSA: compat_ioctl: avoid compat_alloc_user_space
2020-09-21 10:37:07 +02:00
hwdep.c
ALSA: core: Fix assignment in if condition
2021-06-09 17:30:22 +02:00
info_oss.c
ALSA: oss: remove useless NULL check before kfree
2021-12-06 10:08:13 +01:00
info.c
ALSA: info: Fix llseek return value when using callback
2022-08-17 15:13:30 +02:00
init.c
ALSA: core: Replace scnprintf() with sysfs_emit()
2022-08-02 16:03:45 +02:00
isadma.c
sound updates for 6.0-rc1
2022-08-06 10:19:51 -07:00
jack.c
ALSA: jack: Access input_dev under mutex
2022-04-12 12:19:05 +02:00
Kconfig
ALSA: control: Add input validation
2022-06-15 07:45:28 +02:00
Makefile
m68k: coldfire: drop ISA_DMA_API support
2022-05-16 13:18:30 +10:00
memalloc_local.h
ALSA: memalloc: Support for non-contiguous page allocation
2021-10-18 13:32:10 +02:00
memalloc.c
ALSA: memalloc: Revive x86-specific WC page allocations again
2022-08-22 13:01:27 +02:00
memory.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156
2019-05-30 11:26:35 -07:00
misc.c
ALSA: core: Add async signal helpers
2022-07-29 12:57:10 +02:00
pcm_compat.c
x86: Remove toolchain check for X32 ABI capability
2022-03-15 10:32:48 +01:00
pcm_dmaengine.c
ALSA: dmaengine: Fix missing return value comments for kernel docs
2022-07-13 13:42:35 +02:00
pcm_drm_eld.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
pcm_iec958.c
ALSA: iec958: Split status creation and fill
2021-06-08 17:05:41 +02:00
pcm_lib.c
ALSA: pcm: Use deferred fasync helper
2022-07-29 12:57:11 +02:00
pcm_local.h
ALSA: memalloc: Support for non-contiguous page allocation
2021-10-18 13:32:10 +02:00
pcm_memory.c
ALSA: pcm: Fix missing return value comments for kernel docs
2022-07-13 13:42:34 +02:00
pcm_misc.c
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
2022-04-11 09:27:56 +02:00
pcm_native.c
ALSA: pcm: Use deferred fasync helper
2022-07-29 12:57:11 +02:00
pcm_param_trace.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
pcm_timer.c
ALSA: timer: Constify snd_timer_hardware definitions
2020-01-03 09:24:07 +01:00
pcm_trace.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
pcm.c
ALSA: pcm: Replace sprintf() with sysfs_emit()
2022-08-02 16:03:46 +02:00
rawmidi_compat.c
ALSA: rawmidi: Add framing mode
2021-05-17 16:02:44 +02:00
rawmidi.c
ALSA: rawmidi: Take buffer refcount while draining output
2022-06-20 09:36:04 +02:00
seq_device.c
ALSA: seq: Fix a potential UAF by wrong private_free call order
2021-09-30 14:13:22 +02:00
sound_oss.c
ALSA: core: Fix assignment in if condition
2021-06-09 17:30:22 +02:00
sound.c
ALSA: core: Fix assignment in if condition
2021-06-09 17:30:22 +02:00
timer_compat.c
ALSA: Convert strlcpy to strscpy when return value is unused
2021-01-08 09:30:05 +01:00
timer.c
ALSA: timer: Use deferred fasync helper
2022-07-29 12:57:11 +02:00
vmaster.c
ALSA: core: Fix missing return value comments for kernel docs
2022-07-13 13:42:38 +02:00