| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 06 Dec 2023 08:20:48 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Jason Zhang <jason.zhang@...k-chips.com>
Cc: perex@...ex.cz, tiwai@...e.com, linux-sound@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
On Wed, 06 Dec 2023 02:31:39 +0100,
Jason Zhang wrote:
>
> The pcm state can be SNDRV_PCM_STATE_DISCONNECTED at disconnect
> callback, and there is not an entry of SNDRV_PCM_STATE_DISCONNECTED
> in snd_pcm_state_names.
>
> This patch adds the missing entry to resolve this issue.
>
> cat /proc/asound/card2/pcm0p/sub0/status
> That results in stack traces like the following:
>
> [ 99.702732][ T5171] Unexpected kernel BRK exception at EL1
> [ 99.702774][ T5171] Internal error: BRK handler: f2005512 [#1] PREEMPT SMP
> [ 99.703858][ T5171] Modules linked in: bcmdhd(E) (...)
> [ 99.747425][ T5171] CPU: 3 PID: 5171 Comm: cat Tainted: G C OE 5.10.189-android13-4-00003-g4a17384380d8-ab11086999 #1
> [ 99.748447][ T5171] Hardware name: Rockchip RK3588 CVTE V10 Board (DT)
> [ 99.749024][ T5171] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
> [ 99.749616][ T5171] pc : snd_pcm_substream_proc_status_read+0x264/0x2bc
> [ 99.750204][ T5171] lr : snd_pcm_substream_proc_status_read+0xa4/0x2bc
> [ 99.750778][ T5171] sp : ffffffc0175abae0
> [ 99.751132][ T5171] x29: ffffffc0175abb80 x28: ffffffc009a2c498
> [ 99.751665][ T5171] x27: 0000000000000001 x26: ffffff810cbae6e8
> [ 99.752199][ T5171] x25: 0000000000400cc0 x24: ffffffc0175abc60
> [ 99.752729][ T5171] x23: 0000000000000000 x22: ffffff802f558400
> [ 99.753263][ T5171] x21: ffffff81d8d8ff00 x20: ffffff81020cdc00
> [ 99.753795][ T5171] x19: ffffff802d110000 x18: ffffffc014fbd058
> [ 99.754326][ T5171] x17: 0000000000000000 x16: 0000000000000000
> [ 99.754861][ T5171] x15: 000000000000c276 x14: ffffffff9a976fda
> [ 99.755392][ T5171] x13: 0000000065689089 x12: 000000000000d72e
> [ 99.755923][ T5171] x11: ffffff802d110000 x10: 00000000000000e0
> [ 99.756457][ T5171] x9 : 9c431600c8385d00 x8 : 0000000000000008
> [ 99.756990][ T5171] x7 : 0000000000000000 x6 : 000000000000003f
> [ 99.757522][ T5171] x5 : 0000000000000040 x4 : ffffffc0175abb70
> [ 99.758056][ T5171] x3 : 0000000000000001 x2 : 0000000000000001
> [ 99.758588][ T5171] x1 : 0000000000000000 x0 : 0000000000000000
> [ 99.759123][ T5171] Call trace:
> [ 99.759404][ T5171] snd_pcm_substream_proc_status_read+0x264/0x2bc
> [ 99.759958][ T5171] snd_info_seq_show+0x54/0xa4
> [ 99.760370][ T5171] seq_read_iter+0x19c/0x7d4
> [ 99.760770][ T5171] seq_read+0xf0/0x128
> [ 99.761117][ T5171] proc_reg_read+0x100/0x1f8
> [ 99.761515][ T5171] vfs_read+0xf4/0x354
> [ 99.761869][ T5171] ksys_read+0x7c/0x148
> [ 99.762226][ T5171] __arm64_sys_read+0x20/0x30
> [ 99.762625][ T5171] el0_svc_common+0xd0/0x1e4
> [ 99.763023][ T5171] el0_svc+0x28/0x98
> [ 99.763358][ T5171] el0_sync_handler+0x8c/0xf0
> [ 99.763759][ T5171] el0_sync+0x1b8/0x1c0
> [ 99.764118][ T5171] Code: d65f03c0 b9406102 17ffffae 94191565 (d42aa240)
> [ 99.764715][ T5171] ---[ end trace 1eeffa3e17c58e10 ]---
> [ 99.780720][ T5171] Kernel panic - not syncing: BRK handler: Fatal exception
>
> Signed-off-by: Jason Zhang <jason.zhang@...k-chips.com>
Thanks, applied now.
We should add range checks at the helper functions that access the
arrays, too. I'll submit the patch later.
Takashi
Powered by blists - more mailing lists