Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp1324862iog;
        Tue, 14 Jun 2022 04:00:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwNaNC82RcFfSMLEK3K9qpP6eItxoxpQVRuwyAMMj22MA48JrLRRYdKi7lscmTuUnM9EvMW
X-Received: by 2002:a17:906:19ca:b0:710:c527:7c12 with SMTP id h10-20020a17090619ca00b00710c5277c12mr3771453ejd.31.1655204431731;
        Tue, 14 Jun 2022 04:00:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655204431; cv=none;
        d=google.com; s=arc-20160816;
        b=uRo4481z9iTFecM7k/VwHKGSp+AnXcmBEuoZtYvDtxDeSuFEbA2DRVGMZGOG22SEN7
         +6KefW8LVZ0+q5IpAHGz1/aW8WHYsucm2p+T/B13fo/jElBkYRmE/ctP74O0b7TwTpD6
         UYI+H/RtdvN4Wtp0X7O9oIzEIgWyA9llTBEsiZ0f67YjoEVtRqExxOaW1fWLJi7JicHG
         QA3OPbPVrlPq5asf6oOBl6iphXSnX4GoYOkytr58wHgsmiSvC9ArFCSvcHPUWatm8vpT
         Eh6fn3UiSqP+a+81YpNtiM72h+TyBYd9r2ZgUq9rG9RNI4sdMxC5GWJaafkSHOcOP56Y
         hCDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:subject:cc:to:from:message-id
         :date:dkim-signature:dkim-signature;
        bh=BRrQFXdCbyVpl82DrmdE8Gz3NAbhN9s8qRhd/Zc1x14=;
        b=E8MNtiIGsohLF4cIVcFp2e8guMDRCe9CU0/oZ1LvKGoYQi6A9Mck4kyAiO0uuGnZ2K
         R+EFmajGs/VLMHLdMakl5AvfCbOD7rkvYZ9Ho82PWiMiWGzL4jwA1msX/v6SU88MJyV5
         HhbQYpaAojBVpD9gwSjrwwOTs7fWWOkCxLOULG0c4ANAubEvspKsCqQ/9pDYgEztGlIP
         BqyDF94wTdlMResH9yNA18ZxoB8QZlVFimQSQpCV6hIz1DFrqppayeM+wYCsP2lRGWm7
         +popuuMUAYTJWFDJVzxAkj4iVCvWOFrMa5ACLEhPpOeyHXTpQOlzgIQqk66vsUW2/MK6
         cGmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=wikKS2Wh;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=9ohBsH8u;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j22-20020a170906475600b00707aefb3cc2si9485408ejs.510.2022.06.14.04.00.05;
        Tue, 14 Jun 2022 04:00:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=wikKS2Wh;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=9ohBsH8u;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242393AbiFNKts (ORCPT
        <rfc822;aditya.jainadityajain.jain@gmail.com> + 99 others);
        Tue, 14 Jun 2022 06:49:48 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41036 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240905AbiFNKtl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Jun 2022 06:49:41 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88E3A48E60
        for <linux-kernel@vger.kernel.org>; Tue, 14 Jun 2022 03:49:40 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id 321F821A4A;
        Tue, 14 Jun 2022 10:49:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1655203779; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=BRrQFXdCbyVpl82DrmdE8Gz3NAbhN9s8qRhd/Zc1x14=;
        b=wikKS2WhWNH+VhmBbMHeWIzW+yoxaLMy0arjW2uaxUr7m6mQ5oIJwSxO1oNnktJQKweC0p
        X5ylPzAwvO3l81eNIAoJ9TtjqIJBDSYObiFapp6k+DUBMW0kuvu0GJOPF0Q5zkRF2qFw+N
        xjxeEVGKG6g+k+zZO6sybp5/yslZPTs=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1655203779;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=BRrQFXdCbyVpl82DrmdE8Gz3NAbhN9s8qRhd/Zc1x14=;
        b=9ohBsH8uzbnz/w94dMmwRbPZKJfCUXyTdAVHntYO+Ega88dqMIEIAW+sNqGz9l+/wIPN7M
        jmjtml0FK2oOMiDw==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 1782B1361C;
        Tue, 14 Jun 2022 10:49:39 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id 18lkBcNnqGLuXwAAMHmgww
        (envelope-from <tiwai@suse.de>); Tue, 14 Jun 2022 10:49:39 +0000
Date:   Tue, 14 Jun 2022 12:49:38 +0200
Message-ID: <87y1xzplj1.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     "Fabio M. De Francesco" <fmdefrancesco@gmail.com>
Cc:     Eugeniu Rosca <erosca@de.adit-jv.com>,
        Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.com>, Mark Brown <broonie@kernel.org>,
        alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
        syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com,
        naveenkumar.sunkari@in.bosch.com,
        Eugeniu Rosca <roscaeugeniu@gmail.com>
Subject: Re: [PATCH] ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
In-Reply-To: <2245197.ElGaqSPkdT@opensuse>
References: <20220409012655.9399-1-fmdefrancesco@gmail.com>
        <20220614095851.GA4199@lxhi-065>
        <2245197.ElGaqSPkdT@opensuse>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 14 Jun 2022 12:43:16 +0200,
Fabio M. De Francesco wrote:
> 
> On marted? 14 giugno 2022 11:58:51 CEST Eugeniu Rosca wrote:
> > Hello Fabio, hello All,
> > 
> > On Sa, Apr 09, 2022 at 03:26:55 +0200, Fabio M. De Francesco wrote:
> > > Syzbot reports "KASAN: null-ptr-deref Write in
> > > snd_pcm_format_set_silence".[1]
> > > 
> > > It is due to missing validation of the "silence" field of struct
> > > "pcm_format_data" in "pcm_formats" array.
> > > 
> > > Add a test for valid "pat" and, if it is not so, return -EINVAL.
> > > 
> > > [1] https://lore.kernel.org/lkml/
> 000000000000d188ef05dc2c7279@google.com/
> > > 
> > > Reported-and-tested-by: 
> syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com
> > > Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
> > > ---
> > > 
> > > I wasn't able to figure out the commit for the "Fixes:" tag. If this 
> patch
> > > is good, can someone please help with providing this missing 
> information?
> > > 
> > >  sound/core/pcm_misc.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/sound/core/pcm_misc.c b/sound/core/pcm_misc.c
> > > index 4866aed97aac..5588b6a1ee8b 100644
> > > --- a/sound/core/pcm_misc.c
> > > +++ b/sound/core/pcm_misc.c
> > > @@ -433,7 +433,7 @@ int snd_pcm_format_set_silence(snd_pcm_format_t 
> format, void *data, unsigned int
> > >  		return 0;
> > >  	width = pcm_formats[(INT)format].phys; /* physical width */
> > >  	pat = pcm_formats[(INT)format].silence;
> > > -	if (! width)
> > > +	if (!width || !pat)
> > >  		return -EINVAL;
> > >  	/* signed or 1 byte data */
> > >  	if (pcm_formats[(INT)format].signd == 1 || width <= 8) {
> > 
> > JFYI, PVS-Studio 7.19 reports:
> > 
> > sound/core/pcm_misc.c	409	warn	V560 A part of 
> conditional expression is always false: !pat.
> 
> Sorry, I assumed (wrongly!) that when we have
> 
> static const struct pcm_format_data 
> pcm_formats[(INT)SNDRV_PCM_FORMAT_LAST+1] = {
> 	[SNDRV_PCM_FORMAT_S8] = {
> 		.width = 8, .phys = 8, .le = -1, .signd = 1,
> 		.silence = {},
> 	},
> 	[snip]
> 	/* FIXME: the following two formats are not defined properly yet 
> */
> 	[SNDRV_PCM_FORMAT_MPEG] = {
> 		.le = -1, .signd = -1,
> 	},
> 	[SNDRV_PCM_FORMAT_GSM] = {
> 		.le = -1, .signd = -1,
> 	},
> 
> pointer "silence", and then "pat", must be NULL.

Oh right, those are missing ones.  I haven't realized that those
formats are allowed by PCM OSS layer.

Practically seen, those formats have never been used in reality, and
we may consider dropping them completely to plug such holes...


Takashi