Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp1410937rdb; Fri, 16 Feb 2024 15:22:40 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVdrzIbND0gCHoXJkePidrH/tyudiYtSHkZu72V6PoQuluCjpeaIHhuPDo9zoGMfg0MzG0tvbBud+4QXQrijf4AvWS6TfCQkOzzCMQpmQ== X-Google-Smtp-Source: AGHT+IG0MnMvpm+56g0RDJx1a5qbAZcKJtUQT94uR3jiax1/sdmAtz5BK0URDzt9J7ckAQTlqx0i X-Received: by 2002:a05:6a00:9085:b0:6db:d978:9047 with SMTP id jo5-20020a056a00908500b006dbd9789047mr7253270pfb.1.1708125760287; Fri, 16 Feb 2024 15:22:40 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708125760; cv=pass; d=google.com; s=arc-20160816; b=x6ym5dSK9OnwBGjObKg4pzy8+MfRgnjL3UAiW6ERHg/r6I+838CT8rXGyEjtlxe7tR mCZSgJpWSliHRhTj+nmGbavBJf8D9qrdVI6Ms9adckkBFOTgzUg1Wd3cwglSDLE1gD6Z HQn9UcvyNKlz8ykNzhNeTOOmpvIexDtTp4SAPrLRJLGtDKIyy8ayHdrjfutAR13XI7+T heDNbNzmlrlWHNzXq1wwxClFLKCJy8cvnsz3wvTcO86HTwODR6+fUWrmQGn+ncSVx/1f NEuz1rXuZENxTI3glT2hDb55JBEG/Zg6f/clxnhCXF/aNXPnNcWuTtnXZIV9w+owt+yo 7IwQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=jvvT6riPM/3in09G29ne7DQlQRmcV2/DIw7p3OZyCN0=; fh=R2w9V7E5OfnNzbdmhF05XTKYG2v02VF7ZxydYY+N34U=; b=IeeAWqC9yBJNzWN+aQ4+LHPOF+wF6TuJ+jp13W0z//Lro+dLELkftiqvGHZ3ZRYoa5 lHVyaLGnjmGTGEACwA5ZKBMTYo3wEzF/TFCiPy2Bfj2LdCVxJMdb6eDzI8EZ4tcjyDnT hFbhYB0OhmC7lfk/Ayq7nhZlmFkQ3oUlJ2UMrlhGba33ncNntRlLdSzSY76zFJDouR+q xs1PuUKNb3W1KsD/5EVqgD/+f8vkUqlyfMLrVjRjo6ceg3+hCVITNL7FLETmWeIx9p60 +bmtVjDw+0FKahAsb0ecyJlryMNDQh5XGGKIHYoOrDgx7M/4mU3D62sueMixzVsyXL9D SVAA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MQlL78fp; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-69457-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-69457-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id fa17-20020a056a002d1100b006e04dddc978si610886pfb.305.2024.02.16.15.22.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 15:22:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-69457-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MQlL78fp; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-69457-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-69457-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id A33FBB23637 for ; Fri, 16 Feb 2024 23:05:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 55DEA1487C1; Fri, 16 Feb 2024 23:05:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MQlL78fp" Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2E75145B18; Fri, 16 Feb 2024 23:05:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708124727; cv=none; b=k2bITC81trSQyzGT5+zZyPn3fcaN/TqBNeOJ/3+E+SCtRsZ1IzFbLzv9RGmORzumllepGYT9go3TicdAP4buRcGfpqseOMirwHiHFW0e1EJU4UTMTfZDb18gPQiputrHOoOrSnloMY+oJWc94COzrM7Su4k+s99wdb6cUkiAYbQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708124727; c=relaxed/simple; bh=y6lfvpxH3GYADnSDNdchDMMrlL19uzaTYCUIWeYTaU0=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=tHgXiAF/ytR7y01+MY3TzuHZP+5G/JWrdT36QMcyvi+zIzCQf5thf9G9VOyVwHOBMwUmZmHPbnYqETTjxVxq9LM78c6p+V6FENqPRQQ8cVHaCphIfhKjT7GOZGxXbbyVXPMLxXjWbu7/5V4bXTQZstuil8m3m25VleOe9k7vlT4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MQlL78fp; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-411baa02bc3so3693775e9.1; Fri, 16 Feb 2024 15:05:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708124724; x=1708729524; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=jvvT6riPM/3in09G29ne7DQlQRmcV2/DIw7p3OZyCN0=; b=MQlL78fpGMBMlD6zYS6KrTn0sRKWpdFBCZxTI5LWDGeCAx0OcWiD1lzsI5JsVFuwim kiiym/xnmyX9KvLFQ2durSDqe5Td1Coi6JLWcl9VbPlXkrOW/EZXOn/nSNez9uP/b+Ib C4yWZ0vb5YZDkXwB6+pnirPIWenx1HDu26esOQ2Ie+CJeqFCTccq0ZSgGdLuKZ8pJCLd eYM664xkFBcXeNuRm8dq+2KD/mP2d7rqGY0qTIECh8FYLwJ2ux9+cOwG0hfdU8DnGflH SxGVEnn0iW1c497sm5TEKR7HvF1mm0g/c114W04s87cBiYQLcq14uKWrdo1+AMOT1inC +Y6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708124724; x=1708729524; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jvvT6riPM/3in09G29ne7DQlQRmcV2/DIw7p3OZyCN0=; b=rIfZUlFRxr4wspulmEcj4yMrY6Vr/1xORCblUIrsO1bft4S3wew09/3M5QNKEF114/ hDS5vKvKHZDyu2pWSYACHbWZyQpaEVIdWFXPIcp82hNbJVakhRZ83JtU9Wdp4Rlt+oiJ t8RJu6HltxdTofg4tMTga7ExN6/dCEiFwNXlZNm1Lqa7DNsEPz6+dPE4cvLo+fPmPMai v2egrdbcWuLvMwsIKr5cq7f5Hjx/AGyZjx2vTl/W1H0OSaOXyrW6VLQbZsVBfgDfMgkX q6wmluZF3CjftMMZRH1q35qHzdePF9x69qaE/Xibxxrvs/MdUxMteVHokHnkEr0Omo5d RhzQ== X-Forwarded-Encrypted: i=1; AJvYcCXjEf+XeryiDSHxEFAAvGfwLj0zh3BGwh5fQJPQsah8Z8izkKW5PhAy5Xkywg8gXuWFZrQOmbNJSlnjYOy6g7qwlM8RwuVS9U9ircnKJsfG3T2Q/EBCgrmnN+eXDENpnssvrZ39L6NO0Lk= X-Gm-Message-State: AOJu0YyTnp/+CZ+YD49gPxOwBt9AtTAh9dG0vveupsQsfh2vcGaJn18c +YLsL9ohVT82gyLGA4BNVl0s8B+bQJGqFnluRGwkpqwudzrrUKNM X-Received: by 2002:a05:600c:4446:b0:412:cd2:2ce6 with SMTP id v6-20020a05600c444600b004120cd22ce6mr2453563wmn.3.1708124723767; Fri, 16 Feb 2024 15:05:23 -0800 (PST) Received: from ?IPV6:2a01:4b00:d20e:7300:185d:2987:5137:7eb9? ([2a01:4b00:d20e:7300:185d:2987:5137:7eb9]) by smtp.gmail.com with ESMTPSA id p17-20020a05600c469100b004120b4c57c9sm3627747wmo.4.2024.02.16.15.05.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 16 Feb 2024 15:05:23 -0800 (PST) Message-ID: <90cde49e-072d-4236-bcb9-affb0a1ce6af@gmail.com> Date: Fri, 16 Feb 2024 23:05:22 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] ALSA: core: fix buffer overflow in test_format_fill_silence() Content-Language: en-US To: Arnd Bergmann , Jaroslav Kysela , Takashi Iwai Cc: Arnd Bergmann , Naresh Kamboju , linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org References: <20240216130050.3786789-1-arnd@kernel.org> From: Ivan Orlov In-Reply-To: <20240216130050.3786789-1-arnd@kernel.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 2/16/24 13:00, Arnd Bergmann wrote: > From: Arnd Bergmann > > KASAN caught a buffer overflow with the hardcoded 2048 byte buffer > size, when 2080 bytes are written to it: > > BUG: KASAN: slab-out-of-bounds in snd_pcm_format_set_silence+0x3bc/0x3e4 > Write of size 8 at addr ffff0000c8149800 by task kunit_try_catch/1297 > > CPU: 0 PID: 1297 Comm: kunit_try_catch Tainted: G N 6.8.0-rc4-next-20240216 #1 > Hardware name: linux,dummy-virt (DT) > Call trace: > kasan_report+0x78/0xc0 > __asan_report_store_n_noabort+0x1c/0x28 > snd_pcm_format_set_silence+0x3bc/0x3e4 > _test_fill_silence+0xdc/0x298 > test_format_fill_silence+0x110/0x228 > kunit_try_run_case+0x144/0x3bc > kunit_generic_run_threadfn_adapter+0x50/0x94 > kthread+0x330/0x3e8 > ret_from_fork+0x10/0x20 > > Allocated by task 1297: > __kmalloc+0x17c/0x2f0 > kunit_kmalloc_array+0x2c/0x78 > test_format_fill_silence+0xcc/0x228 > kunit_try_run_case+0x144/0x3bc > kunit_generic_run_threadfn_adapter+0x50/0x94 > kthread+0x330/0x3e8 > ret_from_fork+0x10/0x20 > > Replace the incorrect size with the correct length of 260 64-bit samples. > > Reported-by: Naresh Kamboju > Fixes: 3e39acf56ede ("ALSA: core: Add sound core KUnit test") > Signed-off-by: Arnd Bergmann > --- > Naresh, I slightly changed the patch to make the computation more obvious, > can you test again to make sure I got this right? > --- > sound/core/sound_kunit.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/core/sound_kunit.c b/sound/core/sound_kunit.c > index 5d5a7bf88de4..7f16101ece7a 100644 > --- a/sound/core/sound_kunit.c > +++ b/sound/core/sound_kunit.c > @@ -8,7 +8,7 @@ > #include > #include > > -#define SILENCE_BUFFER_SIZE 2048 > +#define SILENCE_BUFFER_SIZE (sizeof(u64) * 260) I believe it would be good to define FILL_SILENCE_MAX_FRAMES to 260, update the 'buf_samples' array correspondingly and define the SILENCE_BUFFER_SIZE as (sizeof(u64) * FILL_SILENCE_MAX_FRAMES), so it would be more clear where '260' came from. Thank you for fixing this! -- Kind regards, Ivan Orlov