lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87cyvj3igf.wl-tiwai@suse.de>
Date:   Wed, 06 Dec 2023 08:20:48 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     Jason Zhang <jason.zhang@...k-chips.com>
Cc:     perex@...ex.cz, tiwai@...e.com, linux-sound@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ALSA: pcm: fix out-of-bounds in snd_pcm_state_names

On Wed, 06 Dec 2023 02:31:39 +0100,
Jason Zhang wrote:
> 
> The pcm state can be SNDRV_PCM_STATE_DISCONNECTED at disconnect
> callback, and there is not an entry of SNDRV_PCM_STATE_DISCONNECTED
> in snd_pcm_state_names.
> 
> This patch adds the missing entry to resolve this issue.
> 
> cat /proc/asound/card2/pcm0p/sub0/status
> That results in stack traces like the following:
> 
> [   99.702732][ T5171] Unexpected kernel BRK exception at EL1
> [   99.702774][ T5171] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP
> [   99.703858][ T5171] Modules linked in: bcmdhd(E) (...)
> [   99.747425][ T5171] CPU: 3 PID: 5171 Comm: cat Tainted: G         C OE     5.10.189-android13-4-00003-g4a17384380d8-ab11086999 #1
> [   99.748447][ T5171] Hardware name: Rockchip RK3588 CVTE V10 Board (DT)
> [   99.749024][ T5171] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
> [   99.749616][ T5171] pc : snd_pcm_substream_proc_status_read+0x264/0x2bc
> [   99.750204][ T5171] lr : snd_pcm_substream_proc_status_read+0xa4/0x2bc
> [   99.750778][ T5171] sp : ffffffc0175abae0
> [   99.751132][ T5171] x29: ffffffc0175abb80 x28: ffffffc009a2c498
> [   99.751665][ T5171] x27: 0000000000000001 x26: ffffff810cbae6e8
> [   99.752199][ T5171] x25: 0000000000400cc0 x24: ffffffc0175abc60
> [   99.752729][ T5171] x23: 0000000000000000 x22: ffffff802f558400
> [   99.753263][ T5171] x21: ffffff81d8d8ff00 x20: ffffff81020cdc00
> [   99.753795][ T5171] x19: ffffff802d110000 x18: ffffffc014fbd058
> [   99.754326][ T5171] x17: 0000000000000000 x16: 0000000000000000
> [   99.754861][ T5171] x15: 000000000000c276 x14: ffffffff9a976fda
> [   99.755392][ T5171] x13: 0000000065689089 x12: 000000000000d72e
> [   99.755923][ T5171] x11: ffffff802d110000 x10: 00000000000000e0
> [   99.756457][ T5171] x9 : 9c431600c8385d00 x8 : 0000000000000008
> [   99.756990][ T5171] x7 : 0000000000000000 x6 : 000000000000003f
> [   99.757522][ T5171] x5 : 0000000000000040 x4 : ffffffc0175abb70
> [   99.758056][ T5171] x3 : 0000000000000001 x2 : 0000000000000001
> [   99.758588][ T5171] x1 : 0000000000000000 x0 : 0000000000000000
> [   99.759123][ T5171] Call trace:
> [   99.759404][ T5171]  snd_pcm_substream_proc_status_read+0x264/0x2bc
> [   99.759958][ T5171]  snd_info_seq_show+0x54/0xa4
> [   99.760370][ T5171]  seq_read_iter+0x19c/0x7d4
> [   99.760770][ T5171]  seq_read+0xf0/0x128
> [   99.761117][ T5171]  proc_reg_read+0x100/0x1f8
> [   99.761515][ T5171]  vfs_read+0xf4/0x354
> [   99.761869][ T5171]  ksys_read+0x7c/0x148
> [   99.762226][ T5171]  __arm64_sys_read+0x20/0x30
> [   99.762625][ T5171]  el0_svc_common+0xd0/0x1e4
> [   99.763023][ T5171]  el0_svc+0x28/0x98
> [   99.763358][ T5171]  el0_sync_handler+0x8c/0xf0
> [   99.763759][ T5171]  el0_sync+0x1b8/0x1c0
> [   99.764118][ T5171] Code: d65f03c0 b9406102 17ffffae 94191565 (d42aa240)
> [   99.764715][ T5171] ---[ end trace 1eeffa3e17c58e10 ]---
> [   99.780720][ T5171] Kernel panic - not syncing: BRK handler: Fatal exception
> 
> Signed-off-by: Jason Zhang <jason.zhang@...k-chips.com>

Thanks, applied now.

We should add range checks at the helper functions that access the
arrays, too.  I'll submit the patch later.


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ