lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <s5h1t9fuite.wl-tiwai@suse.de>
Date:	Mon, 18 Jan 2016 14:18:53 +0100
From:	Takashi Iwai <tiwai@...e.de>
To:	Nicolas Boichat <drinkcat@...omium.org>
Cc:	alsa-devel@...a-project.org,
	Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>,
	Jaroslav Kysela <perex@...ex.cz>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode

On Mon, 18 Jan 2016 14:00:19 +0100,
Nicolas Boichat wrote:
> 
> On Mon, Jan 18, 2016 at 2:37 PM, Takashi Iwai <tiwai@...e.de> wrote:
> > On Mon, 18 Jan 2016 04:49:18 +0100,
> > Nicolas Boichat wrote:
> >>
> >> Running a kernel with KASan enabled, we spotted that the following
> >> read in sound/soc/soc-pcm.c:soc_pcm_hw_params() is out of bounds:
> >>
> >>               /* copy params for each codec */
> >>               codec_params = *params;
> >>
> >> The problem comes from sound/core/pcm_compat.c,
> >> snd_pcm_ioctl_hw_params_compat, where we're copying from a
> >> struct snd_pcm_hw_params to a struct snd_pcm_hw_params32:
> >>
> >>       /* only fifo_size is different, so just copy all */
> >>       data = memdup_user(data32, sizeof(*data32));
> >>
> >> It turns out that snd_pcm_hw_params is 4 bytes longer than
> >> snd_pcm_hw_params32, that's why an out-of-bounds read happens.
> >>
> >> We separate kmalloc and memory copy operations to make sure
> >> data has the correct length.
> >>
> >> Signed-off-by: Nicolas Boichat <drinkcat@...omium.org>
> >
> > Thanks for reporting.  This is indeed effectively a revert of the
> > commit ef44a1ec6eee ('ALSA: sound/core: use memdup_user()'), which is
> > obviously wrong.  Sigh, it's a really danger of such a "cleanup"
> > patch.
> 
> Oh, well spotted!
> 
> > Could you rephrase the changelog mentioning the affecting commit and
> > resubmit?
> 
> Sure. Looking at that commit, there is another suspicious memdup_user
> in sound/seq/seq_compat.c (similar issue: struct snd_seq_port_info32
> is 4 bytes shorter than struct snd_seq_port_info). I'll revert that
> one as well.

Good catch.  I'm looking forward to seeing newer patches!


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ