lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <s5ho8v5renx.wl-tiwai@suse.de>
Date:   Tue, 14 Jan 2020 21:01:06 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     Colin King <colin.king@...onical.com>
Cc:     Jaroslav Kysela <perex@...ex.cz>, alsa-devel@...a-project.org,
        kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ALSA: hda - fix out of bounds read on spec->smux_paths

On Tue, 14 Jan 2020 16:44:12 +0100,
Colin King wrote:
> 
> From: Colin Ian King <colin.king@...onical.com>
> 
> It is possible for the call to snd_hda_get_num_conns to fail and return
> a negative error code that gets assigned to num_conns. In that specific
> case, the check of very large values of val against num_conns will not
> fail the -EINVAL check and later on an out of bounds array read on
> spec->smux_paths will occur.  Fix this by sanity checking for an error
> return from the call to snd_hda_get_num_conns.

Thanks for the patch, but this can't happen.
The ad1988_auto_smux_enum_put() is used only for IEC958 Playback
Source element, and it's added in ad1988_add_spdif_mux_ctl().  And
there at the beginning, there is already a check of the value:

	num_conns = snd_hda_get_num_conns(codec, 0x0b) + 1;
	if (num_conns != 3 && num_conns != 4)
		return 0;
				
And the snd_hda_get_num_conns() function returns the cached value,
hence it's always same at the second and later calls, so it can't be a
negative error.

That said, I don't think we need to apply the change as is.  But if we
were to improve something, we can rather record this number more
explicitly e.g. introduce a new field spec->num_spdif_mux_conns and
keep there instead of calling snd_hda_get_num_conns() at each place.


thanks,

Takashi

> 
> Addresses-Coverity: ("Out-of-bounds read")
> Fixes: 272f3ea31776 ("ALSA: hda - Add SPDIF mux control to AD codec auto-parser")
> Signed-off-by: Colin Ian King <colin.king@...onical.com>
> ---
>  sound/pci/hda/patch_analog.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/sound/pci/hda/patch_analog.c b/sound/pci/hda/patch_analog.c
> index 88c46b051d14..399561369495 100644
> --- a/sound/pci/hda/patch_analog.c
> +++ b/sound/pci/hda/patch_analog.c
> @@ -756,9 +756,11 @@ static int ad1988_auto_smux_enum_put(struct snd_kcontrol *kcontrol,
>  	struct ad198x_spec *spec = codec->spec;
>  	unsigned int val = ucontrol->value.enumerated.item[0];
>  	struct nid_path *path;
> -	int num_conns = snd_hda_get_num_conns(codec, 0x0b) + 1;
> +	int num_conns = snd_hda_get_num_conns(codec, 0x0b);
>  
> -	if (val >= num_conns)
> +	if (num_conns < 0)
> +		return num_conns;
> +	if (val >= num_conns + 1)
>  		return -EINVAL;
>  	if (spec->cur_smux == val)
>  		return 0;
> -- 
> 2.24.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ