Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp833496pja; Wed, 1 Apr 2020 09:32:09 -0700 (PDT) X-Google-Smtp-Source: APiQypJotwvrZ7ewx/788EPiDgdl0spSIT8DIz40RYfWkG4O301kdWdBaRlvB7/tl/TUbjBijD4+ X-Received: by 2002:aca:b5c3:: with SMTP id e186mr3312858oif.114.1585758729356; Wed, 01 Apr 2020 09:32:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585758729; cv=none; d=google.com; s=arc-20160816; b=ByWwzgHEQsvzO3hSxGiRGpWS3Adh2jerl5HIiIzB3Oy9ellcpgTsbO6LP/XjveQV9D 0M1LXcflNwmmphdHFfkE+tDtKoNQYUJvLAf50UJZwL7mtzz+r88mmGtMQTHVgUzz6z+P k0vFb0n9V4DLb/YHBsYk4vmiEvwwDldVndHt3y77QjXW9YkaeQBMkL0E3GujfvtB+EVc f9oArIXR/Uoy9rFSI7IEHsDjHIl1qhF/Ers/HN7J5makxgP1fMPeGUwKuMrIqERzVN4d QA5l45nRZnICPPyQeYsudaRH328GNyUuoYU/BUidN0f0DZa5I107nHRRNqoXTyEwtoPO U3DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CEMJ4kz8VNY4A3TG2vLJTA2ZjLCUqhQXX9M5gJi8sys=; b=i/nc+A1wnTAd/AxV5xVajItsfCIi0vJU1SyJDFYZ0CQqsRvO33x6L/+t5b3HU+q05A 34tKLOwAlaIufpmjtFGyAs+QI+iDLoGGtQgeTIjMk84frfnpl+1T2q/bMv41n7z2094b sWR2tfx7v5ep5x8uZ+lDNFv/zBifKOgAem6zdGPKKEzbP1pEk7SMjo6IPtejUKfollOK o8lTxqkKGotz4H6iQLNUNxvfWIc1MKJOIO7aeFVziguLjAx7SH2Kb8SPRUIxqg5GK0uO wz8pOMHnt50Wm1lCK52MGvqQYg1gy3moOggD04ZiGPJNinic5oRTfsuj+79QLMtsMhC7 2ByQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ia6on8FR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i6si964562oor.75.2020.04.01.09.31.56; Wed, 01 Apr 2020 09:32:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ia6on8FR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388224AbgDAQ3z (ORCPT + 99 others); Wed, 1 Apr 2020 12:29:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:55498 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388192AbgDAQ3s (ORCPT ); Wed, 1 Apr 2020 12:29:48 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0E32A20658; Wed, 1 Apr 2020 16:29:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585758587; bh=AL7hoBSzUmkmWDlkQMwp9cp9Ui5kceVTauOdV7/oyJ4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ia6on8FRD+wLdah6cR5OG1DMG6OFnE9IUWlf0x6SzYUKleJBokAoknBylwMAMN0r6 v/Zh1vpfv8RTCb26TjHB5qaDLq6h/Ih+zq/wGniv6v94e+lmMLqOykPiDHP4xMcZXV e9svlA3L+6gR4q4/wKAH1DSwwPrUNFjpFM9aX0Ng= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.4 16/91] ALSA: pcm: oss: Avoid plugin buffer overflow Date: Wed, 1 Apr 2020 18:17:12 +0200 Message-Id: <20200401161518.639084136@linuxfoundation.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200401161512.917494101@linuxfoundation.org> References: <20200401161512.917494101@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit f2ecf903ef06eb1bbbfa969db9889643d487e73a upstream. Each OSS PCM plugins allocate its internal buffer per pre-calculation of the max buffer size through the chain of plugins (calling src_frames and dst_frames callbacks). This works for most plugins, but the rate plugin might behave incorrectly. The calculation in the rate plugin involves with the fractional position, i.e. it may vary depending on the input position. Since the buffer size pre-calculation is always done with the offset zero, it may return a shorter size than it might be; this may result in the out-of-bound access as spotted by fuzzer. This patch addresses those possible buffer overflow accesses by simply setting the upper limit per the given buffer size for each plugin before src_frames() and after dst_frames() calls. Reported-by: syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/000000000000b25ea005a02bcf21@google.com Link: https://lore.kernel.org/r/20200309082148.19855-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/oss/pcm_plugin.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/sound/core/oss/pcm_plugin.c +++ b/sound/core/oss/pcm_plugin.c @@ -209,6 +209,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_si if (stream == SNDRV_PCM_STREAM_PLAYBACK) { plugin = snd_pcm_plug_last(plug); while (plugin && drv_frames > 0) { + if (drv_frames > plugin->buf_frames) + drv_frames = plugin->buf_frames; plugin_prev = plugin->prev; if (plugin->src_frames) drv_frames = plugin->src_frames(plugin, drv_frames); @@ -220,6 +222,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_si plugin_next = plugin->next; if (plugin->dst_frames) drv_frames = plugin->dst_frames(plugin, drv_frames); + if (drv_frames > plugin->buf_frames) + drv_frames = plugin->buf_frames; plugin = plugin_next; } } else @@ -248,11 +252,15 @@ snd_pcm_sframes_t snd_pcm_plug_slave_siz if (frames < 0) return frames; } + if (frames > plugin->buf_frames) + frames = plugin->buf_frames; plugin = plugin_next; } } else if (stream == SNDRV_PCM_STREAM_CAPTURE) { plugin = snd_pcm_plug_last(plug); while (plugin) { + if (frames > plugin->buf_frames) + frames = plugin->buf_frames; plugin_prev = plugin->prev; if (plugin->src_frames) { frames = plugin->src_frames(plugin, frames);