diff mbox

sound: BUG in snd_ctl_find_numid

Message ID s5h37tvuivs.wl-tiwai@suse.de (mailing list archive)
State New, archived
Headers show

Commit Message

Takashi Iwai Jan. 18, 2016, 1:17 p.m. UTC 
On Mon, 18 Jan 2016 13:59:49 +0100,
Dmitry Vyukov wrote:
> 
> Hello,
> 
> The following program triggers a BUG in snd_ctl_find_numid:

Do I understand correctly that you meant a kernel WARNING with a stack
trace as a "BUG"?  If so, the patch below should cover it.


thanks,

Takashi

-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: control: Avoid kernel warnings from tlv ioctl with
 numid 0

When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call.  The check was
intended obviously only for a kernel driver, but not for a user
interaction.  Let's fix it.

This was spotted by syzkaller fuzzer.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/control.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Dmitry Vyukov Jan. 18, 2016, 1:18 p.m. UTC | #1 
On Mon, Jan 18, 2016 at 2:17 PM, Takashi Iwai <tiwai@suse.de> wrote:
> On Mon, 18 Jan 2016 13:59:49 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> The following program triggers a BUG in snd_ctl_find_numid:
>
> Do I understand correctly that you meant a kernel WARNING with a stack
> trace as a "BUG"?  If so, the patch below should cover it.


Yes, I guess it's just a BUG warning message.

> thanks,
>
> Takashi
>
> -- 8< --
> From: Takashi Iwai <tiwai@suse.de>
> Subject: [PATCH] ALSA: control: Avoid kernel warnings from tlv ioctl with
>  numid 0
>
> When a TLV ioctl with numid zero is handled, the driver may spew a
> kernel warning with a stack trace at each call.  The check was
> intended obviously only for a kernel driver, but not for a user
> interaction.  Let's fix it.
>
> This was spotted by syzkaller fuzzer.
>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  sound/core/control.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/sound/core/control.c b/sound/core/control.c
> index 196a6fe100ca..a85d45595d02 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
>                 return -EFAULT;
>         if (tlv.length < sizeof(unsigned int) * 2)
>                 return -EINVAL;
> +       if (!tlv.numid)
> +               return -EINVAL;
>         down_read(&card->controls_rwsem);
>         kctl = snd_ctl_find_numid(card, tlv.numid);
>         if (kctl == NULL) {
> --
> 2.7.0
>
diff mbox

Patch

diff --git a/sound/core/control.c b/sound/core/control.c
index 196a6fe100ca..a85d45595d02 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1405,6 +1405,8 @@  static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
 		return -EFAULT;
 	if (tlv.length < sizeof(unsigned int) * 2)
 		return -EINVAL;
+	if (!tlv.numid)
+		return -EINVAL;
 	down_read(&card->controls_rwsem);
 	kctl = snd_ctl_find_numid(card, tlv.numid);
 	if (kctl == NULL) {