lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <1531926420-25488-1-git-send-email-srikanth.h@samsung.com>
Date:   Wed, 18 Jul 2018 20:37:00 +0530
From:   Srikanth K H <srikanth.h@...sung.com>
To:     perex@...ex.cz, tiwai@...e.com, elfring@...rs.sourceforge.net,
        ben.hutchings@...ethink.co.uk, viro@...iv.linux.org.uk,
        keescook@...omium.org, alsa-devel@...a-project.org,
        linux-kernel@...r.kernel.org
Cc:     cpgs@...sung.com, srikanth.h@...sung.com
Subject: [PATCHv2 1/1] Preventive fix in sound module

If the timer object is created without the card for entries
"SNDRV_TIMER_CLASS_CARD" and "SNDRV_TIMER_CLASS_PCM", then
while reading the sound info entry in function
"snd_timer_proc_read" the card information is directly
dereferenced without checking for NULL and hence kernel
panic occur. So as preventive measure while the creating
the sound timer object is created the card information
availability is checked for the mentioned entries and
returned error if its NULL.

Signed-off-by: Srikanth K H <srikanth.h@...sung.com>
---
 sound/core/timer.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/sound/core/timer.c b/sound/core/timer.c
index c7be4f1..06f734f 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -883,6 +883,11 @@ int snd_timer_new(struct snd_card *card, char *id, struct snd_timer_id *tid,
 
 	if (snd_BUG_ON(!tid))
 		return -EINVAL;
+	if (tid->dev_class == SNDRV_TIMER_CLASS_CARD ||
+			tid->dev_class == SNDRV_TIMER_CLASS_PCM) {
+		if (WARN_ON(!card))
+			return -EINVAL;
+	}
 	if (rtimer)
 		*rtimer = NULL;
 	timer = kzalloc(sizeof(*timer), GFP_KERNEL);
@@ -1192,12 +1197,10 @@ static void snd_timer_proc_read(struct snd_info_entry *entry,
 			break;
 		case SNDRV_TIMER_CLASS_CARD:
 			snd_iprintf(buffer, "C%i-%i: ",
-					timer->card ? timer->card->number : -1,
-					timer->tmr_device);
+				    timer->card->number, timer->tmr_device);
 			break;
 		case SNDRV_TIMER_CLASS_PCM:
-			snd_iprintf(buffer, "P%i-%i-%i: ",
-					timer->card ? timer->card->number : -1,
+			snd_iprintf(buffer, "P%i-%i-%i: ", timer->card->number,
 				    timer->tmr_device, timer->tmr_subdevice);
 			break;
 		default:
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ