lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <90cde49e-072d-4236-bcb9-affb0a1ce6af@gmail.com>
Date: Fri, 16 Feb 2024 23:05:22 +0000
From: Ivan Orlov <ivan.orlov0322@...il.com>
To: Arnd Bergmann <arnd@...nel.org>, Jaroslav Kysela <perex@...ex.cz>,
 Takashi Iwai <tiwai@...e.com>
Cc: Arnd Bergmann <arnd@...db.de>, Naresh Kamboju
 <naresh.kamboju@...aro.org>, linux-sound@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ALSA: core: fix buffer overflow in
 test_format_fill_silence()

On 2/16/24 13:00, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
> 
> KASAN caught a buffer overflow with the hardcoded 2048 byte buffer
> size, when 2080 bytes are written to it:
> 
>   BUG: KASAN: slab-out-of-bounds in snd_pcm_format_set_silence+0x3bc/0x3e4
>   Write of size 8 at addr ffff0000c8149800 by task kunit_try_catch/1297
> 
>   CPU: 0 PID: 1297 Comm: kunit_try_catch Tainted: G N 6.8.0-rc4-next-20240216 #1
>   Hardware name: linux,dummy-virt (DT)
>   Call trace:
>    kasan_report+0x78/0xc0
>    __asan_report_store_n_noabort+0x1c/0x28
>    snd_pcm_format_set_silence+0x3bc/0x3e4
>    _test_fill_silence+0xdc/0x298
>    test_format_fill_silence+0x110/0x228
>    kunit_try_run_case+0x144/0x3bc
>    kunit_generic_run_threadfn_adapter+0x50/0x94
>    kthread+0x330/0x3e8
>    ret_from_fork+0x10/0x20
> 
>   Allocated by task 1297:
>    __kmalloc+0x17c/0x2f0
>    kunit_kmalloc_array+0x2c/0x78
>    test_format_fill_silence+0xcc/0x228
>    kunit_try_run_case+0x144/0x3bc
>    kunit_generic_run_threadfn_adapter+0x50/0x94
>    kthread+0x330/0x3e8
>    ret_from_fork+0x10/0x20
> 
> Replace the incorrect size with the correct length of 260 64-bit samples.
> 
> Reported-by: Naresh Kamboju <naresh.kamboju@...aro.org>
> Fixes: 3e39acf56ede ("ALSA: core: Add sound core KUnit test")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> Naresh, I slightly changed the patch to make the computation more obvious,
> can you test again to make sure I got this right?
> ---
>   sound/core/sound_kunit.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/core/sound_kunit.c b/sound/core/sound_kunit.c
> index 5d5a7bf88de4..7f16101ece7a 100644
> --- a/sound/core/sound_kunit.c
> +++ b/sound/core/sound_kunit.c
> @@ -8,7 +8,7 @@
>   #include <sound/core.h>
>   #include <sound/pcm.h>
>   
> -#define SILENCE_BUFFER_SIZE 2048
> +#define SILENCE_BUFFER_SIZE (sizeof(u64) * 260)

I believe it would be good to define FILL_SILENCE_MAX_FRAMES to 260, 
update the 'buf_samples' array correspondingly and define the 
SILENCE_BUFFER_SIZE as (sizeof(u64) * FILL_SILENCE_MAX_FRAMES), so it 
would be more clear where '260' came from.

Thank you for fixing this!
-- 
Kind regards,
Ivan Orlov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ