lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <s5hhckjtf7p.wl%tiwai@suse.de>
Date:	Mon, 22 Oct 2007 16:07:54 +0200
From:	Takashi Iwai <tiwai@...e.de>
To:	Adrian Bunk <bunk@...nel.org>
Cc:	perex@...ex.cz, linux-kernel@...r.kernel.org
Subject: Re: sound/pci/hda/patch_via.c: array overflow

At Fri, 19 Oct 2007 14:57:09 +0200,
Adrian Bunk wrote:
> 
> sound/pci/hda/patch_via.c contains the following code:
> 
> <--  snip  -->
> 
> ...
> struct via_spec {
> ...
>         hda_nid_t private_dac_nids[4];  
> ...                               ^^^
> };
> ...
> static int vt1709_auto_fill_dac_nids(struct via_spec *spec,
>                                      const struct auto_pin_cfg *cfg)
> {
> ...
>        spec->multiout.dac_nids = spec->private_dac_nids;
> 
>         if (cfg->line_outs == 4) { /* 10 channels */   <------------------
>                 for (i = 0; i < cfg->line_outs; i++) {
>                         nid = cfg->line_out_pins[i];
>                         if (nid) {
>                                 /* config dac list */
>                                 switch (i) {
>                                 case AUTO_SEQ_FRONT:
>                                         /* AOW0 */
>                                         spec->multiout.dac_nids[i] = 0x10;
>                                         break;
>                                 case AUTO_SEQ_CENLFE:
>                                         /* AOW2 */
>                                         spec->multiout.dac_nids[i] = 0x12;
>                                         break;
>                                 case AUTO_SEQ_SURROUND:
>                                         /* AOW3 */
>                                         spec->multiout.dac_nids[i] = 0x27;
>                                         break;
>                                 case AUTO_SEQ_SIDE:
>                                         /* AOW1 */
>                                         spec->multiout.dac_nids[i] = 0x11;
>                                         break;
>                                 default:
>                                         break;
>                                 }
>                         }
>                 }
>                 spec->multiout.dac_nids[cfg->line_outs] = 0x28; /* AOW4 */
> ...                                     ^^^^^^^^^^^^^^
> 
> <--  snip  -->
> 
> Spotted by the Coverity checker.

Thanks.  The following patch was applied to ALSA tree.


Takashi


[ALSA] hda-codec - Fix possible array overflow

dac_nids arrays in each codec support code may have up to 5 items
when assigned from the auto-configurator.  Some codec codes have
less numbers than the possible max.  This patch defines the constant
and fixes the array definitions.

Signed-off-by: Takashi Iwai <tiwai@...e.de>

---

diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/hda_local.h
--- a/sound/pci/hda/hda_local.h	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/hda_local.h	Mon Oct 22 17:20:10 2007 +0200
@@ -310,16 +310,17 @@ enum {
 
 extern const char *auto_pin_cfg_labels[AUTO_PIN_LAST];
 
+#define AUTO_CFG_MAX_OUTS	5
+
 struct auto_pin_cfg {
 	int line_outs;
-	hda_nid_t line_out_pins[5]; /* sorted in the order of
-				     * Front/Surr/CLFE/Side
-				     */
+	/* sorted in the order of Front/Surr/CLFE/Side */
+	hda_nid_t line_out_pins[AUTO_CFG_MAX_OUTS];
 	int speaker_outs;
-	hda_nid_t speaker_pins[5];
+	hda_nid_t speaker_pins[AUTO_CFG_MAX_OUTS];
 	int hp_outs;
 	int line_out_type;	/* AUTO_PIN_XXX_OUT */
-	hda_nid_t hp_pins[5];
+	hda_nid_t hp_pins[AUTO_CFG_MAX_OUTS];
 	hda_nid_t input_pins[AUTO_PIN_LAST];
 	hda_nid_t dig_out_pin;
 	hda_nid_t dig_in_pin;
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_analog.c
--- a/sound/pci/hda/patch_analog.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_analog.c	Mon Oct 22 17:20:10 2007 +0200
@@ -72,7 +72,7 @@ struct ad198x_spec {
 	unsigned int num_kctl_alloc, num_kctl_used;
 	struct snd_kcontrol_new *kctl_alloc;
 	struct hda_input_mux private_imux;
-	hda_nid_t private_dac_nids[4];
+	hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
 
 	unsigned int jack_present :1;
 
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_cmedia.c
--- a/sound/pci/hda/patch_cmedia.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_cmedia.c	Mon Oct 22 17:20:10 2007 +0200
@@ -50,7 +50,7 @@ struct cmi_spec {
 
 	/* playback */
 	struct hda_multi_out multiout;
-	hda_nid_t dac_nids[4];		/* NID for each DAC */
+	hda_nid_t dac_nids[AUTO_CFG_MAX_OUTS];	/* NID for each DAC */
 	int num_dacs;
 
 	/* capture */
@@ -73,7 +73,6 @@ struct cmi_spec {
 	unsigned int pin_def_confs;
 
 	/* multichannel pins */
-	hda_nid_t multich_pin[4];	/* max 8-channel */
 	struct hda_verb multi_init[9];	/* 2 verbs for each pin + terminator */
 };
 
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_conexant.c
--- a/sound/pci/hda/patch_conexant.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_conexant.c	Mon Oct 22 17:20:10 2007 +0200
@@ -85,7 +85,7 @@ struct conexant_spec {
 	unsigned int num_kctl_alloc, num_kctl_used;
 	struct snd_kcontrol_new *kctl_alloc;
 	struct hda_input_mux private_imux;
-	hda_nid_t private_dac_nids[4];
+	hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
 
 };
 
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_realtek.c
--- a/sound/pci/hda/patch_realtek.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_realtek.c	Mon Oct 22 17:20:10 2007 +0200
@@ -238,7 +238,7 @@ struct alc_spec {
 	unsigned int num_kctl_alloc, num_kctl_used;
 	struct snd_kcontrol_new *kctl_alloc;
 	struct hda_input_mux private_imux;
-	hda_nid_t private_dac_nids[5];
+	hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
 
 	/* hooks */
 	void (*init_hook)(struct hda_codec *codec);
diff -r 1ea57d99d2e5 -r 86919e2e4d61 sound/pci/hda/patch_via.c
--- a/sound/pci/hda/patch_via.c	Mon Oct 22 17:11:09 2007 +0200
+++ b/sound/pci/hda/patch_via.c	Mon Oct 22 17:20:10 2007 +0200
@@ -114,7 +114,7 @@ struct via_spec {
 	unsigned int num_kctl_alloc, num_kctl_used;
 	struct snd_kcontrol_new *kctl_alloc;
 	struct hda_input_mux private_imux;
-	hda_nid_t private_dac_nids[4];	
+	hda_nid_t private_dac_nids[AUTO_CFG_MAX_OUTS];
 
 #ifdef CONFIG_SND_HDA_POWER_SAVE
 	struct hda_loopback_check loopback;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ