Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1553925imm;
        Wed, 15 Aug 2018 21:15:50 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPwlYNyNP8l6q/9zmAOmSxd76mG26CzWxIk75NXa/MK2Q3Lp5MB8BMPYAWPBxZ+oyhWKIdIy
X-Received: by 2002:a63:1c5f:: with SMTP id c31-v6mr27937418pgm.321.1534392950313;
        Wed, 15 Aug 2018 21:15:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534392950; cv=none;
        d=google.com; s=arc-20160816;
        b=0OCOKB165vbIdhSfsvSn+0P5A+9gDun7bNhJ9b98OFkTbjfyf5p2qaUElclrJbMVb0
         xmztNBfkqc8b4MMoCcJUovdZ3p5JroBZGrQObF4OsAorRNgXjPwkEi+W+LM9ASM2TMDz
         6D8QpYb6NFTqSt1zYEzUhOOpmmTysQSE2FPFosNNSjl+mm8BZjh0wtuczs5woL0pH5jF
         TQ5ppwTmp+ib1JNe4ig0ZWoFnoI2dZK59ITvuKvhHWIPIVTKxFP8nbA4cX2aG8Rb8NN1
         eJkq6uiMLgvA3DKhQ67KX4yuQOZ+WNIJQxlLovms5sLSskdPDfluCWYUSvp0nDqzsMHO
         7AKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:mime-version
         :message-id:date:dkim-signature:arc-authentication-results;
        bh=V5Q2yH6ejYwjDFeugDxnLuwETsEuK1MNcNhvs1eBg1c=;
        b=COaaLzhqHbyUXEsZaq4M47nq4EQ+3q7rwx15YEZRcbUZ5CZ1azkjfNtQyaTmCZKnoa
         DGnSGUJKl3UfSvc5pAta2fratYdk42bPnhmXNM9KXetPKYRdhr8NLV/htvHZrB3+ZWXg
         7tAMAli5j24c2ChsC/BzKfibUvstZfIEu1PL63ijnFKQ7jCDqTX13n6EV6tQnW5MizGm
         /IcUctcdFVFNMcmzfpdhdg4SGlbJryLgQ2EUAq7lLlJnWenyr8/9A799fyF++T/itNB4
         B2DFUaxLMQLVxN7mCi5XeWgu+kKxNTQ5S78F4WkB+/O3XFXAtw05DLomUMlB2pNBJw4D
         PCMw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=htb7qIMv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 92-v6si21056045plw.81.2018.08.15.21.15.35;
        Wed, 15 Aug 2018 21:15:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=htb7qIMv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729300AbeHPDvJ (ORCPT <rfc822;gyapra2016@gmail.com>
        + 99 others); Wed, 15 Aug 2018 23:51:09 -0400
Received: from mail-qk0-f202.google.com ([209.85.220.202]:41716 "EHLO
        mail-qk0-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728177AbeHPDvJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Aug 2018 23:51:09 -0400
Received: by mail-qk0-f202.google.com with SMTP id w8-v6so2839681qkf.8
        for <linux-kernel@vger.kernel.org>; Wed, 15 Aug 2018 17:56:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=V5Q2yH6ejYwjDFeugDxnLuwETsEuK1MNcNhvs1eBg1c=;
        b=htb7qIMv17iKMChsz50TUxPmcllhd71PfyviOE0loninFqhf0itE/qVy4uUxfLCjy7
         6RD2yL12kU+xK55G/COG67r2dYisV1UVC2fJ5DwSLc1vbQUvuZ6wxSIt43sxjrXr7jLW
         Ha7qQgxmdzchLIrDN7NWCvwsVnSArwCFsRGmNNWMmR6FjiXCoLdbkSSRRwVEdbNqz9Fc
         poTAPuyn5/VVrTVhQr1Z7sVt467QpcdW39zGCkYdOzAIbmBpBmF5cL616xMuZvVHG2l2
         niIKOVWbGlKdUM2/0g9U+vAkZgFc9nJFU0L+WVG846LYMzcdXIiYWIl+6FrNy+fhLnaD
         +VvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=V5Q2yH6ejYwjDFeugDxnLuwETsEuK1MNcNhvs1eBg1c=;
        b=TrJF69B5BPZwdHhit9Cbj4uElz9EsMp8AHHNs6Q0+k1dwyaIMlDj5neP3xPuMmEDcc
         ctQzFGuptUiOpdiX97wQqs+H+6L5xbFI5xROGDQNE6CDwDlguTmtLMBNtLQryqdyuW3I
         9Spdm2+HlPNs3JWz6w1Z5Gah0e/t5ApmA6KcNiSqR03fBTjymWfjZGNAid5epdQkpRUL
         g/1r5vopoG7fsFveSgk2AQiC8iNsS5F+wwn+Rj5nXceYxtEw7U7d0tMH2CyA/3aZezh2
         Zb6YU/zXAsD47SO27Zko+qX8OkzuBNgSFIO1iG1t6CQT10szBZmM8VS0fsYXXLOFzY1H
         9qhw==
X-Gm-Message-State: AOUpUlHP03nTcnsKrJiSWK+fSR9He0ujIdc9nQG6DHOGCjFTutfViCpM
        BGJzRjZFiWJg7zEpogML/A5J34EUM4rHQw8t
X-Received: by 2002:ac8:7111:: with SMTP id z17-v6mr15729790qto.58.1534380983671;
 Wed, 15 Aug 2018 17:56:23 -0700 (PDT)
Date:   Wed, 15 Aug 2018 17:55:48 -0700
Message-Id: <20180816005548.151269-1-erickreyes@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.18.0.865.gffc8e1a3cd6-goog
Subject: [PATCH] ALSA: info: Check for integer overflow in snd_info_entry_write()
From:   Erick Reyes <erickreyes@google.com>
To:     stable@vger.kernel.org
Cc:     linux-kernel@vger.kernel.org, Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.com>, kernel-team@android.com,
        Vinod Koul <vkoul@kernel.org>, Joe Perches <joe@perches.com>,
        Al Viro <viro@zeniv.linux.org.uk>, alsa-devel@alsa-project.org,
        Erick Reyes <erickreyes@google.com>,
        Siqi Lin <siqilin@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Commit 4adb7bcbcb69 ("ALSA: core: Use seq_file for text proc file
reads") heavily refactored ALSA procfs and fixed the overflow as
a side-effect, so this fix only applies to kernels < 4.2 and
there is no upstream equivalent

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Erick Reyes <erickreyes@google.com>
---
 sound/core/info.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sound/core/info.c b/sound/core/info.c
index 9f404e965ea2..08832c973a53 100644
--- a/sound/core/info.c
+++ b/sound/core/info.c
@@ -253,6 +253,7 @@ static ssize_t snd_info_entry_write(struct file *file, const char __user *buffer
 	struct snd_info_buffer *buf;
 	ssize_t size = 0;
 	loff_t pos;
+	unsigned long realloc_size;
 
 	data = file->private_data;
 	if (snd_BUG_ON(!data))
@@ -261,7 +262,8 @@ static ssize_t snd_info_entry_write(struct file *file, const char __user *buffer
 	pos = *offset;
 	if (pos < 0 || (long) pos != pos || (ssize_t) count < 0)
 		return -EIO;
-	if ((unsigned long) pos + (unsigned long) count < (unsigned long) pos)
+	realloc_size = (unsigned long) pos + (unsigned long) count;
+	if (realloc_size < (unsigned long) pos || realloc_size > UINT_MAX)
 		return -EIO;
 	switch (entry->content) {
 	case SNDRV_INFO_CONTENT_TEXT:
-- 
2.18.0.865.gffc8e1a3cd6-goog