lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <s5h37tvuivs.wl-tiwai@suse.de>
Date:	Mon, 18 Jan 2016 14:17:27 +0100
From:	Takashi Iwai <tiwai@...e.de>
To:	"Dmitry Vyukov" <dvyukov@...gle.com>
Cc:	<alsa-devel@...a-project.org>, "Jaroslav Kysela" <perex@...ex.cz>,
	"Takashi Sakamoto" <o-takashi@...amocchi.jp>,
	"LKML" <linux-kernel@...r.kernel.org>,
	"Alexander Potapenko" <glider@...gle.com>,
	"Kostya Serebryany" <kcc@...gle.com>,
	"syzkaller" <syzkaller@...glegroups.com>,
	"Sasha Levin" <sasha.levin@...cle.com>
Subject: Re: sound: BUG in snd_ctl_find_numid

On Mon, 18 Jan 2016 13:59:49 +0100,
Dmitry Vyukov wrote:
> 
> Hello,
> 
> The following program triggers a BUG in snd_ctl_find_numid:

Do I understand correctly that you meant a kernel WARNING with a stack
trace as a "BUG"?  If so, the patch below should cover it.


thanks,

Takashi

-- 8< --
From: Takashi Iwai <tiwai@...e.de>
Subject: [PATCH] ALSA: control: Avoid kernel warnings from tlv ioctl with
 numid 0

When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call.  The check was
intended obviously only for a kernel driver, but not for a user
interaction.  Let's fix it.

This was spotted by syzkaller fuzzer.

Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Cc: <stable@...r.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
 sound/core/control.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/core/control.c b/sound/core/control.c
index 196a6fe100ca..a85d45595d02 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
 		return -EFAULT;
 	if (tlv.length < sizeof(unsigned int) * 2)
 		return -EINVAL;
+	if (!tlv.numid)
+		return -EINVAL;
 	down_read(&card->controls_rwsem);
 	kctl = snd_ctl_find_numid(card, tlv.numid);
 	if (kctl == NULL) {
-- 
2.7.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ