Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp531303ybz; Wed, 22 Apr 2020 03:06:18 -0700 (PDT) X-Google-Smtp-Source: APiQypIdFQhM7+oGkQwhcA6BtW4ZbjHWbwHICHagxXMhyfXLvNrIoEPugJIaVnDnii21KueF4eYN X-Received: by 2002:a50:a68a:: with SMTP id e10mr22300660edc.113.1587549978797; Wed, 22 Apr 2020 03:06:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587549978; cv=none; d=google.com; s=arc-20160816; b=yZEBEs3GpIqqn45rJ9npFrfA/LyWUqdcRpWQ1BBsFmN9Fzqh+brq4Mwq7Zotfd6HX7 0BHl3zE8+5mIlzoGgaOqqfDSutf8pEY9hQQvU8EKf/cKGZORbUNq93Z36vYfaNz3j3eE rKfpMe4MrlAGqsdX+o5WAcbpx+j0e2cGV2Q8byRVZy82NB1Gn6wbk/NjtUambYIdudkJ wfzPtYMUMkVIKhWjNmWfpBfOPPUC9grA9mF9g4mAaJfxXsTao9YcNsZvAsqssty4EEj4 QxirTUbNdohvhtTE2M7firc72B/Y626FTkpmO5BgoN4s5hTx1w9nmPXBCSjj8Pwg3HRf m3PA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NBm8tbQkduK1BEB3ou6a0StjnLMJ7ZN0FFvwJEf1xM4=; b=QG+TKP0bqJ/vP+Nv3lnDSooWpzW/ruJQbCJNxmNbLxj52w5WUhamHttKyu1uYKq3sJ 3ynOhwu/s/DldgopnEUg44HK7894F5r4OzKwigMcBDaki30ZFXIg9DKDWTval5AqcIU1 ugQicklY91d9Tt0UpuAhZSeGJi/yX4MsXeZ4quNREzet1zOCmiEqnrWGXR2QaWzHocSW q/OV1ZVa3Fp+V3qODi5Q4v9hPgXfa4Pp0FVIo7ku6aSzBXMY3l+IJ1p5HYkZ9gaFH8g3 vzz5hWaSnI9YOZ2YFAfp3OO23AEyeMgL4sO6LJfjnslGDrM6fM66hls0cQm3vt45ZHjd xbKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1edt9nyr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n8si3202341eju.329.2020.04.22.03.05.55; Wed, 22 Apr 2020 03:06:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1edt9nyr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726828AbgDVKBa (ORCPT + 99 others); Wed, 22 Apr 2020 06:01:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:49912 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726799AbgDVKB1 (ORCPT ); Wed, 22 Apr 2020 06:01:27 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5C2C32077D; Wed, 22 Apr 2020 10:01:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587549686; bh=Q1oyFjKzbrGphP40si7zC/EVZ5glG1t3TqYutsH/IvM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1edt9nyrwc+BTCfZYrm0BFeX1jXtc3VPGvDPnAvy/gwwxNidQwFHOvR1+7gl/airc XV8oyTiCBBWvD43EvwYQynDGIN5/IId1jPWCxv8vK8mDxaqdgO/vTJl3opzT9GP5TW 2DFKtBkenQc7H2Z6eVyxO7Hies6ExFCLML55/JWA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , Jari Ruusu Subject: [PATCH 4.4 024/100] ALSA: pcm: oss: Fix regression by buffer overflow fix Date: Wed, 22 Apr 2020 11:55:54 +0200 Message-Id: <20200422095027.091141598@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200422095022.476101261@linuxfoundation.org> References: <20200422095022.476101261@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit ae769d3556644888c964635179ef192995f40793 upstream. The recent fix for the OOB access in PCM OSS plugins (commit f2ecf903ef06: "ALSA: pcm: oss: Avoid plugin buffer overflow") caused a regression on OSS applications. The patch introduced the size check in client and slave size calculations to limit to each plugin's buffer size, but I overlooked that some code paths call those without allocating the buffer but just for estimation. This patch fixes the bug by skipping the size check for those code paths while keeping checking in the actual transfer calls. Fixes: f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow") Tested-and-reported-by: Jari Ruusu Cc: Link: https://lore.kernel.org/r/20200403072515.25539-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/oss/pcm_plugin.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) --- a/sound/core/oss/pcm_plugin.c +++ b/sound/core/oss/pcm_plugin.c @@ -196,7 +196,9 @@ int snd_pcm_plugin_free(struct snd_pcm_p return 0; } -snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *plug, snd_pcm_uframes_t drv_frames) +static snd_pcm_sframes_t plug_client_size(struct snd_pcm_substream *plug, + snd_pcm_uframes_t drv_frames, + bool check_size) { struct snd_pcm_plugin *plugin, *plugin_prev, *plugin_next; int stream; @@ -209,7 +211,7 @@ snd_pcm_sframes_t snd_pcm_plug_client_si if (stream == SNDRV_PCM_STREAM_PLAYBACK) { plugin = snd_pcm_plug_last(plug); while (plugin && drv_frames > 0) { - if (drv_frames > plugin->buf_frames) + if (check_size && drv_frames > plugin->buf_frames) drv_frames = plugin->buf_frames; plugin_prev = plugin->prev; if (plugin->src_frames) @@ -222,7 +224,7 @@ snd_pcm_sframes_t snd_pcm_plug_client_si plugin_next = plugin->next; if (plugin->dst_frames) drv_frames = plugin->dst_frames(plugin, drv_frames); - if (drv_frames > plugin->buf_frames) + if (check_size && drv_frames > plugin->buf_frames) drv_frames = plugin->buf_frames; plugin = plugin_next; } @@ -231,7 +233,9 @@ snd_pcm_sframes_t snd_pcm_plug_client_si return drv_frames; } -snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *plug, snd_pcm_uframes_t clt_frames) +static snd_pcm_sframes_t plug_slave_size(struct snd_pcm_substream *plug, + snd_pcm_uframes_t clt_frames, + bool check_size) { struct snd_pcm_plugin *plugin, *plugin_prev, *plugin_next; snd_pcm_sframes_t frames; @@ -252,14 +256,14 @@ snd_pcm_sframes_t snd_pcm_plug_slave_siz if (frames < 0) return frames; } - if (frames > plugin->buf_frames) + if (check_size && frames > plugin->buf_frames) frames = plugin->buf_frames; plugin = plugin_next; } } else if (stream == SNDRV_PCM_STREAM_CAPTURE) { plugin = snd_pcm_plug_last(plug); while (plugin) { - if (frames > plugin->buf_frames) + if (check_size && frames > plugin->buf_frames) frames = plugin->buf_frames; plugin_prev = plugin->prev; if (plugin->src_frames) { @@ -274,6 +278,18 @@ snd_pcm_sframes_t snd_pcm_plug_slave_siz return frames; } +snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *plug, + snd_pcm_uframes_t drv_frames) +{ + return plug_client_size(plug, drv_frames, false); +} + +snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *plug, + snd_pcm_uframes_t clt_frames) +{ + return plug_slave_size(plug, clt_frames, false); +} + static int snd_pcm_plug_formats(struct snd_mask *mask, snd_pcm_format_t format) { struct snd_mask formats = *mask; @@ -628,7 +644,7 @@ snd_pcm_sframes_t snd_pcm_plug_write_tra src_channels = dst_channels; plugin = next; } - return snd_pcm_plug_client_size(plug, frames); + return plug_client_size(plug, frames, true); } snd_pcm_sframes_t snd_pcm_plug_read_transfer(struct snd_pcm_substream *plug, struct snd_pcm_plugin_channel *dst_channels_final, snd_pcm_uframes_t size) @@ -638,7 +654,7 @@ snd_pcm_sframes_t snd_pcm_plug_read_tran snd_pcm_sframes_t frames = size; int err; - frames = snd_pcm_plug_slave_size(plug, frames); + frames = plug_slave_size(plug, frames, true); if (frames < 0) return frames;