Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp833496pja;
        Wed, 1 Apr 2020 09:32:09 -0700 (PDT)
X-Google-Smtp-Source: APiQypJotwvrZ7ewx/788EPiDgdl0spSIT8DIz40RYfWkG4O301kdWdBaRlvB7/tl/TUbjBijD4+
X-Received: by 2002:aca:b5c3:: with SMTP id e186mr3312858oif.114.1585758729356;
        Wed, 01 Apr 2020 09:32:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585758729; cv=none;
        d=google.com; s=arc-20160816;
        b=ByWwzgHEQsvzO3hSxGiRGpWS3Adh2jerl5HIiIzB3Oy9ellcpgTsbO6LP/XjveQV9D
         0M1LXcflNwmmphdHFfkE+tDtKoNQYUJvLAf50UJZwL7mtzz+r88mmGtMQTHVgUzz6z+P
         k0vFb0n9V4DLb/YHBsYk4vmiEvwwDldVndHt3y77QjXW9YkaeQBMkL0E3GujfvtB+EVc
         f9oArIXR/Uoy9rFSI7IEHsDjHIl1qhF/Ers/HN7J5makxgP1fMPeGUwKuMrIqERzVN4d
         QA5l45nRZnICPPyQeYsudaRH328GNyUuoYU/BUidN0f0DZa5I107nHRRNqoXTyEwtoPO
         U3DQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=CEMJ4kz8VNY4A3TG2vLJTA2ZjLCUqhQXX9M5gJi8sys=;
        b=i/nc+A1wnTAd/AxV5xVajItsfCIi0vJU1SyJDFYZ0CQqsRvO33x6L/+t5b3HU+q05A
         34tKLOwAlaIufpmjtFGyAs+QI+iDLoGGtQgeTIjMk84frfnpl+1T2q/bMv41n7z2094b
         sWR2tfx7v5ep5x8uZ+lDNFv/zBifKOgAem6zdGPKKEzbP1pEk7SMjo6IPtejUKfollOK
         o8lTxqkKGotz4H6iQLNUNxvfWIc1MKJOIO7aeFVziguLjAx7SH2Kb8SPRUIxqg5GK0uO
         wz8pOMHnt50Wm1lCK52MGvqQYg1gy3moOggD04ZiGPJNinic5oRTfsuj+79QLMtsMhC7
         2ByQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ia6on8FR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i6si964562oor.75.2020.04.01.09.31.56;
        Wed, 01 Apr 2020 09:32:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ia6on8FR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388224AbgDAQ3z (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Wed, 1 Apr 2020 12:29:55 -0400
Received: from mail.kernel.org ([198.145.29.99]:55498 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388192AbgDAQ3s (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 12:29:48 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 0E32A20658;
        Wed,  1 Apr 2020 16:29:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585758587;
        bh=AL7hoBSzUmkmWDlkQMwp9cp9Ui5kceVTauOdV7/oyJ4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ia6on8FRD+wLdah6cR5OG1DMG6OFnE9IUWlf0x6SzYUKleJBokAoknBylwMAMN0r6
         v/Zh1vpfv8RTCb26TjHB5qaDLq6h/Ih+zq/wGniv6v94e+lmMLqOykPiDHP4xMcZXV
         e9svlA3L+6gR4q4/wKAH1DSwwPrUNFjpFM9aX0Ng=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com,
        Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.4 16/91] ALSA: pcm: oss: Avoid plugin buffer overflow
Date:   Wed,  1 Apr 2020 18:17:12 +0200
Message-Id: <20200401161518.639084136@linuxfoundation.org>
X-Mailer: git-send-email 2.26.0
In-Reply-To: <20200401161512.917494101@linuxfoundation.org>
References: <20200401161512.917494101@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Takashi Iwai <tiwai@suse.de>

commit f2ecf903ef06eb1bbbfa969db9889643d487e73a upstream.

Each OSS PCM plugins allocate its internal buffer per pre-calculation
of the max buffer size through the chain of plugins (calling
src_frames and dst_frames callbacks).  This works for most plugins,
but the rate plugin might behave incorrectly.  The calculation in the
rate plugin involves with the fractional position, i.e. it may vary
depending on the input position.  Since the buffer size
pre-calculation is always done with the offset zero, it may return a
shorter size than it might be; this may result in the out-of-bound
access as spotted by fuzzer.

This patch addresses those possible buffer overflow accesses by simply
setting the upper limit per the given buffer size for each plugin
before src_frames() and after dst_frames() calls.

Reported-by: syzbot+e1fe9f44fb8ecf4fb5dd@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000b25ea005a02bcf21@google.com
Link: https://lore.kernel.org/r/20200309082148.19855-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/oss/pcm_plugin.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -209,6 +209,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_si
 	if (stream == SNDRV_PCM_STREAM_PLAYBACK) {
 		plugin = snd_pcm_plug_last(plug);
 		while (plugin && drv_frames > 0) {
+			if (drv_frames > plugin->buf_frames)
+				drv_frames = plugin->buf_frames;
 			plugin_prev = plugin->prev;
 			if (plugin->src_frames)
 				drv_frames = plugin->src_frames(plugin, drv_frames);
@@ -220,6 +222,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_si
 			plugin_next = plugin->next;
 			if (plugin->dst_frames)
 				drv_frames = plugin->dst_frames(plugin, drv_frames);
+			if (drv_frames > plugin->buf_frames)
+				drv_frames = plugin->buf_frames;
 			plugin = plugin_next;
 		}
 	} else
@@ -248,11 +252,15 @@ snd_pcm_sframes_t snd_pcm_plug_slave_siz
 				if (frames < 0)
 					return frames;
 			}
+			if (frames > plugin->buf_frames)
+				frames = plugin->buf_frames;
 			plugin = plugin_next;
 		}
 	} else if (stream == SNDRV_PCM_STREAM_CAPTURE) {
 		plugin = snd_pcm_plug_last(plug);
 		while (plugin) {
+			if (frames > plugin->buf_frames)
+				frames = plugin->buf_frames;
 			plugin_prev = plugin->prev;
 			if (plugin->src_frames) {
 				frames = plugin->src_frames(plugin, frames);