Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp1605245iol; Fri, 10 Jun 2022 10:47:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxoXSIwJUFGCJEXPz5bavQ8JRzluVvpiIQpdmtJt0DhuPVHJyJ6Bk+1H1uzdYB43Bb2fhZo X-Received: by 2002:a63:b105:0:b0:3fd:a875:d16 with SMTP id r5-20020a63b105000000b003fda8750d16mr25686791pgf.209.1654883226450; Fri, 10 Jun 2022 10:47:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654883226; cv=none; d=google.com; s=arc-20160816; b=sohe7HLSopN5aMBuOrfq6kyibe52gDJYoS4TiVy2bUpq086oX25O87IvZHVhu99wEO w90G9cuzAYDsQM8ZdDtvi+kZRH00JJQqqrLLZ6k0PrPLxigaBm5Bj3RELs4OhfRIr8sr P6Y/o+Az5RLQTjOgj9UiHBQufQFITFrgLntUNuJvDOtNywvru9B+OKp5qqTjKz73fWuu /VHUMflgpYzqWkkufcsP10EGmDByGPLqYxWPnOjlygjyqZ9a/gnoHa9McwOLEQB410Ae nWU6p9irk1iTnwaOzXMblG79JcuJC7Q7CJ06AiHEuZOBSGmuM4/Ft+ACQZxEvPGc95pj E/Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=/kU2C9+1c4r8DrGde2cwFqKTTuKnc5J1i5Iu9rWWSbw=; b=Gcdc0/EDgmaDoMAEEDdRkuR8ppjDJdCetzxRZIWVLZBjOWJHMgOBx9lc3rkVbipHRS 97L44dRFOTRDZ4YVURXTErxIV0gloX3RZI2/2ODLq4yflH+DzJFmmRUmQW2Two/x1pmW 3LzqhjouCqMByGtSfzw6QY1xfX0JHp4lyFkP2Tv4H4KZYcKpluhNUW+NbASB0M+o0S87 opI1U6RVUNrBerOczePo3h8FmaClfxKw/aObXojT4rirUNYjmZ69Mu1TBQ8C+0S6uMYj V2U4kqgLNK1WWuRtAGEkc+/fovkNmI0qC8TG34ayzXDjPiissRnekrn8K+M3Z+O8pool JNQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s33-20020a63ff61000000b003fe243ca51csi12250951pgk.243.2022.06.10.10.46.54; Fri, 10 Jun 2022 10:47:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350031AbiFJQ7B (ORCPT + 99 others); Fri, 10 Jun 2022 12:59:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350035AbiFJQ6c (ORCPT ); Fri, 10 Jun 2022 12:58:32 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF8B010C3 for ; Fri, 10 Jun 2022 09:58:30 -0700 (PDT) Received: from BUMER.localdomain (unknown [93.175.1.252]) by mail.ispras.ru (Postfix) with ESMTPSA id 1C7FC40737C0; Fri, 10 Jun 2022 16:58:21 +0000 (UTC) From: Daniil Dementev To: Jaroslav Kysela Cc: Daniil Dementev , Takashi Iwai , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov Subject: [PATCH] ALSA: usb-audio: US16x08: Move overflow check before array access Date: Fri, 10 Jun 2022 19:57:32 +0300 Message-Id: <20220610165732.2904-1-d.dementev@ispras.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Buffer overflow could occur in the loop "while", due to accessing an array element before checking the index. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Daniil Dementev Reviewed-by: Alexey Khoroshilov --- sound/usb/mixer_us16x08.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c index b7b6f3834ed5..6eb7d93b358d 100644 --- a/sound/usb/mixer_us16x08.c +++ b/sound/usb/mixer_us16x08.c @@ -637,10 +637,10 @@ static int snd_get_meter_comp_index(struct snd_us16x08_meter_store *store) } } else { /* skip channels with no compressor active */ - while (!store->comp_store->val[ + while (store->comp_index <= SND_US16X08_MAX_CHANNELS + && !store->comp_store->val[ COMP_STORE_IDX(SND_US16X08_ID_COMP_SWITCH)] - [store->comp_index - 1] - && store->comp_index <= SND_US16X08_MAX_CHANNELS) { + [store->comp_index - 1]) { store->comp_index++; } ret = store->comp_index++; -- 2.35.1.windows.2