Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp837782ybl; Wed, 11 Dec 2019 08:14:52 -0800 (PST) X-Google-Smtp-Source: APXvYqwok+1ybrXFlCYqMwiMBsA4p1QmtNR5X4A3M+j8dKQIQHO3C72rjlzVZDJ4UlpVQrsFk4Gw X-Received: by 2002:aca:4e90:: with SMTP id c138mr3460046oib.147.1576080892661; Wed, 11 Dec 2019 08:14:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576080892; cv=none; d=google.com; s=arc-20160816; b=C+S7cn0DfxDHxwdMMbEw9mRJMH5NnAYXc90QHeerXntsVb7Jw1KhrbM6i1ixc5zd3k 0zr0dQrw+wy0SJ0aSvb+E19el2rH57S51ZsdKBR3TG1HXJmwx6zHSDXMpci+trVomdiT gG4sXG5XBlxOrotXyJhzMGymZqhryXhA/6Ujm+pRqPKqhjL7vw7Kz6fx+9NBpm5M6YbV /Q3ddaCss9whWczaD33XaqYSx5WnNRAFfUcIt/ezcKINN/qTm1DuFjmTpxqkM4avZvXL GQmynTsREjI83gKZFdJKFPJhtWmB8et2AjX8sieFV9my3QVS2mnM+hxSEH1GbKz+5IjL CONA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=U6QVAq+dPvNSjjFqJbIm/gXu1marvnGKYgD6JqglpxM=; b=coq3xy8rcptep3NRnyJFVR6OMVO3f20iZ/dqalJNv9eSDIFF8M8W4s6+acmrQFNSFa LYSBqBt05yeuBG0su8fodOUs88bi1Js1nGmvAGtXTtNBJbhmUstldHpmLePhomkN3IMx o3QJEBN57SLk+1JvlM7Cj1QapLDZsB/3cDI6RSJsGdec7H4vVnxF0yNNazIeNc0NKadx x80vQNp5KhQt2A+n/YmQ5T5mAORngbF7Xkow1fj9FzSzJPh0g1Tz77imLMndNJVj1ese ihraJXLD2U+k3Hd3GXlA0JOUgmvZuXoHv3dFpL/YAKGyuQcudv7eGJ6HY1O0DnRvbhIg ZxJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N48M83Qt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7si1402630oil.77.2019.12.11.08.14.40; Wed, 11 Dec 2019 08:14:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N48M83Qt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729296AbfLKPI1 (ORCPT + 99 others); Wed, 11 Dec 2019 10:08:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:55910 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730345AbfLKPIX (ORCPT ); Wed, 11 Dec 2019 10:08:23 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 35E2224654; Wed, 11 Dec 2019 15:08:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576076902; bh=YOOKKu7KZKalCYc9fcrbvluf+Q6hWobR9h7/kUaryYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N48M83QtKx+Pyniqy29iC9eDBg4UN03c5LOfBExsbVOL2xRYSpeuZiKBc9uU8ttAW N++Ye4rJWmuKrHc2iek/wndNI9NCmCV2v1WG3xUwI6Nq2ap66n1WhiIKaUmsMHpglZ 2KojgWrYCfnOhU2G3/Hl90NAJkeuAPFhFj8u5DAI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 5.4 33/92] ALSA: pcm: oss: Avoid potential buffer overflows Date: Wed, 11 Dec 2019 16:05:24 +0100 Message-Id: <20191211150236.252442286@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191211150221.977775294@linuxfoundation.org> References: <20191211150221.977775294@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. syzkaller reported an invalid access in PCM OSS read, and this seems to be an overflow of the internal buffer allocated for a plugin. Since the rate plugin adjusts its transfer size dynamically, the calculation for the chained plugin might be bigger than the given buffer size in some extreme cases, which lead to such an buffer overflow as caught by KASAN. Fix it by limiting the max transfer size properly by checking against the destination size in each plugin transfer callback. Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/oss/linear.c | 2 ++ sound/core/oss/mulaw.c | 2 ++ sound/core/oss/route.c | 2 ++ 3 files changed, 6 insertions(+) --- a/sound/core/oss/linear.c +++ b/sound/core/oss/linear.c @@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer } } #endif + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; convert(plugin, src_channels, dst_channels, frames); return frames; } --- a/sound/core/oss/mulaw.c +++ b/sound/core/oss/mulaw.c @@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer( } } #endif + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; data = (struct mulaw_priv *)plugin->extra_data; data->func(plugin, src_channels, dst_channels, frames); return frames; --- a/sound/core/oss/route.c +++ b/sound/core/oss/route.c @@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer( return -ENXIO; if (frames == 0) return 0; + if (frames > dst_channels[0].frames) + frames = dst_channels[0].frames; nsrcs = plugin->src_format.channels; ndsts = plugin->dst_format.channels;