Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp781808ybl; Wed, 11 Dec 2019 07:26:14 -0800 (PST) X-Google-Smtp-Source: APXvYqz/GoutXIDfK5f0cEcklakc6aWJFlhiw32OtGUd9yDzb8Cio4t0RYBQ0hOTA13I6NSqzpoK X-Received: by 2002:aca:4587:: with SMTP id s129mr3100503oia.124.1576077973787; Wed, 11 Dec 2019 07:26:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576077973; cv=none; d=google.com; s=arc-20160816; b=n75Y++WPAh7DqDoRPaC7llXgufElOcJxKfY2alFG2353rtf2ZpGZWNnKxbRcrnjZ1R a99aoxQpA6v1ynKVyDk8iZgxEhGQUNE6toaXaJRh1aAJ1qBqObGv5NVGcnfMgQV8ROul /uDJUiad+ANHqlSGZAhiJUDJYbwpDiT3i/jV5wFbONCqbTsmCanpoQBEBpw67hHhv5Yh sCd85gW4ekrLlBmZyErj6TApzfJwA8IMVw2cemf7JL8layzyCxZvtZYSkTcyN8zAzckK 3NHxjLsOt884QRWmxAyUug2jYp09RJH/NjqAPTmOiHyxd9smuGLzIcrfRizmncWMi//7 sbtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=U6QVAq+dPvNSjjFqJbIm/gXu1marvnGKYgD6JqglpxM=; b=p8yrQl+F7wmCPO7WLITULtB5sWBWa+G/y9tqkH4ItgLbjP2OYYagKjIiQpGPCxqeqL mkVDqZJrqCl+Ld/HCvS9OBmBeYvAKjSrd2x62zq35/EcxMrPW+LzOsMLLTH9ZLk+bFta LxEe8l+1IOykkJ4YGxduZPNXp4gS0npjgfjkeCEOpK1dasQz70+hKVn5E/0Oty0Ap2BX NLvppPETH/GFFMuYAIigr7ShmAT/1epzJcwSFVLkJTUyMI5/m86V2oIwNkP327lTqp3k Nacfw+y9nncZBaXeGYiusPOMo6KAy/9QCkcq38rvr7MvsNFSj8nNazWdCyAvyznb8pXt 4fZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QlRW1LRg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i12si1353444otk.215.2019.12.11.07.26.01; Wed, 11 Dec 2019 07:26:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QlRW1LRg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732693AbfLKPYa (ORCPT + 99 others); Wed, 11 Dec 2019 10:24:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:55790 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732843AbfLKPY2 (ORCPT ); Wed, 11 Dec 2019 10:24:28 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 477422173E; Wed, 11 Dec 2019 15:24:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576077867; bh=YOOKKu7KZKalCYc9fcrbvluf+Q6hWobR9h7/kUaryYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QlRW1LRgc+YUiwXFePBrjLlysEWkGCY+IL6T1eiYD0ifAHnx/sWvkfRcr0mO/zCXp +ZKlsqVFmqRxT/8qKH35jJ2wlXBUzSlxcBWyj84rIStFduC8xWDgq3I17MmqqtgrVr k7UYPQktpzfEO/80H5o4jO1DE5FTPQdM4ABMSSLU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.19 202/243] ALSA: pcm: oss: Avoid potential buffer overflows Date: Wed, 11 Dec 2019 16:06:04 +0100 Message-Id: <20191211150352.821623102@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191211150339.185439726@linuxfoundation.org> References: <20191211150339.185439726@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. syzkaller reported an invalid access in PCM OSS read, and this seems to be an overflow of the internal buffer allocated for a plugin. Since the rate plugin adjusts its transfer size dynamically, the calculation for the chained plugin might be bigger than the given buffer size in some extreme cases, which lead to such an buffer overflow as caught by KASAN. Fix it by limiting the max transfer size properly by checking against the destination size in each plugin transfer callback. Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/oss/linear.c | 2 ++ sound/core/oss/mulaw.c | 2 ++ sound/core/oss/route.c | 2 ++ 3 files changed, 6 insertions(+) --- a/sound/core/oss/linear.c +++ b/sound/core/oss/linear.c @@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer } } #endif + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; convert(plugin, src_channels, dst_channels, frames); return frames; } --- a/sound/core/oss/mulaw.c +++ b/sound/core/oss/mulaw.c @@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer( } } #endif + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; data = (struct mulaw_priv *)plugin->extra_data; data->func(plugin, src_channels, dst_channels, frames); return frames; --- a/sound/core/oss/route.c +++ b/sound/core/oss/route.c @@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer( return -ENXIO; if (frames == 0) return 0; + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; nsrcs = plugin->src_format.channels; ndsts = plugin->dst_format.channels;