lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <8c8342098506bf0d0a31b23f2ebbb407473cb578.1468483951.git.jslaby@suse.cz>
Date:	Thu, 14 Jul 2016 10:16:16 +0200
From:	Jiri Slaby <jslaby@...e.cz>
To:	stable@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org,
	Dan Carpenter <dan.carpenter@...cle.com>,
	Takashi Iwai <tiwai@...e.de>, Jiri Slaby <jslaby@...e.cz>
Subject: [PATCH 3.12 84/88] ALSA: compress: fix an integer overflow check

From: Dan Carpenter <dan.carpenter@...cle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 upstream.

I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
Signed-off-by: Jiri Slaby <jslaby@...e.cz>
---
 sound/core/compress_offload.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 3f2b4b7f2ec9..a20650d28844 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -501,7 +501,7 @@ static int snd_compress_check_input(struct snd_compr_params *params)
 {
 	/* first let's check the buffer parameter's */
 	if (params->buffer.fragment_size == 0 ||
-			params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+	    params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
 		return -EINVAL;
 
 	/* now codec parameters */
-- 
2.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ