lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CACT4Y+b_VEiA3UBu==QGK1w5A6iVVZkb_kCWB42+L4nmP3yWyw@mail.gmail.com>
Date:	Mon, 18 Jan 2016 14:18:57 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Takashi Iwai <tiwai@...e.de>
Cc:	alsa-devel@...a-project.org, Jaroslav Kysela <perex@...ex.cz>,
	Takashi Sakamoto <o-takashi@...amocchi.jp>,
	LKML <linux-kernel@...r.kernel.org>,
	Alexander Potapenko <glider@...gle.com>,
	Kostya Serebryany <kcc@...gle.com>,
	syzkaller <syzkaller@...glegroups.com>,
	Sasha Levin <sasha.levin@...cle.com>
Subject: Re: sound: BUG in snd_ctl_find_numid

On Mon, Jan 18, 2016 at 2:17 PM, Takashi Iwai <tiwai@...e.de> wrote:
> On Mon, 18 Jan 2016 13:59:49 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> The following program triggers a BUG in snd_ctl_find_numid:
>
> Do I understand correctly that you meant a kernel WARNING with a stack
> trace as a "BUG"?  If so, the patch below should cover it.


Yes, I guess it's just a BUG warning message.

> thanks,
>
> Takashi
>
> -- 8< --
> From: Takashi Iwai <tiwai@...e.de>
> Subject: [PATCH] ALSA: control: Avoid kernel warnings from tlv ioctl with
>  numid 0
>
> When a TLV ioctl with numid zero is handled, the driver may spew a
> kernel warning with a stack trace at each call.  The check was
> intended obviously only for a kernel driver, but not for a user
> interaction.  Let's fix it.
>
> This was spotted by syzkaller fuzzer.
>
> Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
> Cc: <stable@...r.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@...e.de>
> ---
>  sound/core/control.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/sound/core/control.c b/sound/core/control.c
> index 196a6fe100ca..a85d45595d02 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
>                 return -EFAULT;
>         if (tlv.length < sizeof(unsigned int) * 2)
>                 return -EINVAL;
> +       if (!tlv.numid)
> +               return -EINVAL;
>         down_read(&card->controls_rwsem);
>         kctl = snd_ctl_find_numid(card, tlv.numid);
>         if (kctl == NULL) {
> --
> 2.7.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ