2023-02-07 13:20:52

by Artemii Karasev

[permalink] [raw]
Subject: [PATCH] ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control()

snd_emux_xg_control() can be called with an argument 'param' greater
than size of 'control' array. It may lead to accessing 'control'
array at a wrong index.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Artemii Karasev <[email protected]>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
---
sound/synth/emux/emux_nrpn.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/sound/synth/emux/emux_nrpn.c b/sound/synth/emux/emux_nrpn.c
index 8056422ed7c5..9e6414f78e4b 100644
--- a/sound/synth/emux/emux_nrpn.c
+++ b/sound/synth/emux/emux_nrpn.c
@@ -349,6 +349,9 @@ int
snd_emux_xg_control(struct snd_emux_port *port, struct snd_midi_channel *chan,
int param)
{
+ if (param >= ARRAY_SIZE(chan->control))
+ return -EINVAL;
+
return send_converted_effect(xg_effects, ARRAY_SIZE(xg_effects),
port, chan, param,
chan->control[param],
--
2.34.1



2023-02-07 13:33:14

by Takashi Iwai

[permalink] [raw]
Subject: Re: [PATCH] ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control()

On Tue, 07 Feb 2023 14:20:26 +0100,
Artemii Karasev wrote:
>
> snd_emux_xg_control() can be called with an argument 'param' greater
> than size of 'control' array. It may lead to accessing 'control'
> array at a wrong index.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Artemii Karasev <[email protected]>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Thanks, applied now.


Takashi