Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1293223iog; Tue, 14 Jun 2022 03:16:10 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uPb0kVTGdIVURaO18mNw0nYjgGlgA/0swuYtK9B/u++Vkjoc/MgsYuYbQI6ZN4MPSICse1 X-Received: by 2002:a17:906:2086:b0:717:4e91:f1db with SMTP id 6-20020a170906208600b007174e91f1dbmr3483095ejq.345.1655201770142; Tue, 14 Jun 2022 03:16:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655201770; cv=none; d=google.com; s=arc-20160816; b=ui2oPp1yHFqwnskPkyQxGXrA0iXyNSnEgHE54OC76EgjlvyibdCbkVIa2eEblHprFb BQnxOMHCUjN2AaV8qwIkYZhCay2P47useUHPy7cVtXAUbYB2wk/NsexItmlnU54gp8Bb Yl6ozJJosSMRp3StF9AEJjveAuvpwS9juOszKO4F6x3LWy7OrGRnJkbZkN9VGASqmsHq IIIL7Ij5A/hM35JGugF+fUjY2/CnMHYHjCqYF42uFFcw5mfvPfdopdkRHxy8sxp/1y5+ YiPNc40lkIXAEhIC19HX6nGpFxK+c/J+HUEjHC/p98JNMxokgVQc7jClzbwZwolmq4mT W9vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=/MyrIamL33JV5IWhivB0F5RMaxfQhhbX9p1CKfuYPzU=; b=dNOEwAoqGlCWlZ93KiDp2MsY5QCnHnDtMWipH21WpiIRlhOjZ0IxIb0Dc4QYJPBcn8 ALb8XNZODm/X7E1T06paLwVaNUsM8plNW5S1qqjY3zfSNHv31Kkf1KAPCvnHkX9FA4SZ upHGvCQSuBIlDWntRVW8LYuwnxmthy4txnBIgmIJlQ//yZYJQWh5Hi0NOqKb9A5y7IxP vbRrSvZ3wr8dHS729K9XHS/eQDdkt4xjg8jNgux/jgZDkaUuYjR7CEHpuHhLxYGR14EZ ZchAL2UFzO26VxCGrJo6PpPuWzdn/P2OUrfuv9C2F+S35ON10UQsJAgVuvMQYiep/sHC 7FDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sa41-20020a1709076d2900b00711cf82cc03si12351013ejc.830.2022.06.14.03.15.44; Tue, 14 Jun 2022 03:16:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241016AbiFNJ7H (ORCPT + 99 others); Tue, 14 Jun 2022 05:59:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46390 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355679AbiFNJ7A (ORCPT ); Tue, 14 Jun 2022 05:59:00 -0400 Received: from hi1smtp01.de.adit-jv.com (smtp1.de.adit-jv.com [93.241.18.167]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B1374614C for ; Tue, 14 Jun 2022 02:58:59 -0700 (PDT) Received: from hi2exch02.adit-jv.com (hi2exch02.adit-jv.com [10.72.92.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by hi1smtp01.de.adit-jv.com (Postfix) with ESMTPS id AC41A5201FA; Tue, 14 Jun 2022 11:58:57 +0200 (CEST) Received: from lxhi-065 (10.72.94.27) by hi2exch02.adit-jv.com (10.72.92.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Tue, 14 Jun 2022 11:58:57 +0200 Date: Tue, 14 Jun 2022 11:58:51 +0200 From: Eugeniu Rosca To: "Fabio M. De Francesco" CC: Jaroslav Kysela , Takashi Iwai , Mark Brown , , , , , Eugeniu Rosca , Eugeniu Rosca Subject: Re: [PATCH] ALSA: pcm: Test for "silence" field in struct "pcm_format_data" Message-ID: <20220614095851.GA4199@lxhi-065> References: <20220409012655.9399-1-fmdefrancesco@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20220409012655.9399-1-fmdefrancesco@gmail.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Originating-IP: [10.72.94.27] X-ClientProxiedBy: hi2exch02.adit-jv.com (10.72.92.28) To hi2exch02.adit-jv.com (10.72.92.28) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Fabio, hello All, On Sa, Apr 09, 2022 at 03:26:55 +0200, Fabio M. De Francesco wrote: > Syzbot reports "KASAN: null-ptr-deref Write in > snd_pcm_format_set_silence".[1] > > It is due to missing validation of the "silence" field of struct > "pcm_format_data" in "pcm_formats" array. > > Add a test for valid "pat" and, if it is not so, return -EINVAL. > > [1] https://lore.kernel.org/lkml/000000000000d188ef05dc2c7279@google.com/ > > Reported-and-tested-by: syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com > Signed-off-by: Fabio M. De Francesco > --- > > I wasn't able to figure out the commit for the "Fixes:" tag. If this patch > is good, can someone please help with providing this missing information? > > sound/core/pcm_misc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/core/pcm_misc.c b/sound/core/pcm_misc.c > index 4866aed97aac..5588b6a1ee8b 100644 > --- a/sound/core/pcm_misc.c > +++ b/sound/core/pcm_misc.c > @@ -433,7 +433,7 @@ int snd_pcm_format_set_silence(snd_pcm_format_t format, void *data, unsigned int > return 0; > width = pcm_formats[(INT)format].phys; /* physical width */ > pat = pcm_formats[(INT)format].silence; > - if (! width) > + if (!width || !pat) > return -EINVAL; > /* signed or 1 byte data */ > if (pcm_formats[(INT)format].signd == 1 || width <= 8) { JFYI, PVS-Studio 7.19 reports: sound/core/pcm_misc.c 409 warn V560 A part of conditional expression is always false: !pat. I haven't fully validated the finding, but it appears to be legit, since the pointer variable (as opposed to the contents behind the pointer) is always non-null, hence !pat always evaluating to false. If the above is true, then the patch likely hasn't introduced any regression, but also likely hasn't fixed the original KASAN problem. Or are there alternative views? BR, Eugeniu.