From patchwork Mon Dec 7 18:42:12 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shuah Khan X-Patchwork-Id: 7789191 Return-Path: X-Original-To: patchwork-alsa-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 1F589BEEE1 for ; Mon, 7 Dec 2015 18:42:37 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4DA732053D for ; Mon, 7 Dec 2015 18:42:36 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.kernel.org (Postfix) with ESMTP id EE8CA2045A for ; Mon, 7 Dec 2015 18:42:34 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id 8F31B265A7B; Mon, 7 Dec 2015 19:42:33 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_LOW, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id 60DA4265455; Mon, 7 Dec 2015 19:42:25 +0100 (CET) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id B58A32654F2; Mon, 7 Dec 2015 19:42:23 +0100 (CET) Received: from resqmta-po-02v.sys.comcast.net (resqmta-po-02v.sys.comcast.net [96.114.154.161]) by alsa0.perex.cz (Postfix) with ESMTP id 2B1732652E8 for ; Mon, 7 Dec 2015 19:42:16 +0100 (CET) Received: from resomta-po-03v.sys.comcast.net ([96.114.154.227]) by resqmta-po-02v.sys.comcast.net with comcast id qiiF1r0074ueUHc01iiFRE; Mon, 07 Dec 2015 18:42:15 +0000 Received: from mail.gonehiking.org ([73.181.52.62]) by resomta-po-03v.sys.comcast.net with comcast id qiiD1r00V1LXgTt01iiDC7; Mon, 07 Dec 2015 18:42:15 +0000 Received: from lorien.internal (lorien-wl.internal [192.168.1.40]) by mail.gonehiking.org (Postfix) with ESMTP id 883CD9F309; Mon, 7 Dec 2015 11:42:13 -0700 (MST) From: Shuah Khan To: mchehab@osg.samsung.com, tiwai@suse.de, perex@perex.cz, chehabrafael@gmail.com, hans.verkuil@cisco.com, prabhakar.csengg@gmail.com, chris.j.arges@canonical.com Date: Mon, 7 Dec 2015 11:42:12 -0700 Message-Id: <1449513732-5482-1-git-send-email-shuahkh@osg.samsung.com> X-Mailer: git-send-email 2.5.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1449513735; bh=8TOeH7RLS5db0mdoW5PPFHHnjhsKGoCPNqWlGGPLuns=; h=Received:Received:Received:From:To:Subject:Date:Message-Id; b=IHV5xW42KZndhU0VculElssOed7qCSGsdu9wIdXF9p1ZP1mK33n2SJaWU0p3HhDb7 ff7zIrzvDm80ZTYMXRVIAxYobQ8CoT+W8PPmIdUQwtVqbFU+lZ7Bz9LRZAXXPpwSED ERRGfCFvUExWYLd2KPG1x17zEw3+2O5emYdn5+3ZMTmFHUzEykiUgV7yBkR+OhHxue NbhNoqnj/YyJS2TFCaw7Z+EcNT6xp9ffh6PX6PQZEREl9r9XEtnUPrgirf3p9nvw3D PiFtw/IO4P8Q2iT2ZYXO7tzCN0d/XnAeSsGxdqUD9nf3Qs94dSNP5Ltz5D7AY1t+vg z0YKJ94hvGKmg== Cc: alsa-devel@alsa-project.org, Shuah Khan , linux-media@vger.kernel.org Subject: [alsa-devel] [PATCH v2 MC Next Gen] sound/usb: Fix out of bounds access in media_entity_init() X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP Fix the out of bounds access in media_entity_init() found by KASan. This is a result of media_mixer_init() failing to allocate memory for all 3 of its pads before calling media_entity_init(). Fix it to allocate memory for the right struct media_mixer_ctl instead of struct media_ctl. Signed-off-by: Shuah Khan --- Changes since v1: Change to address review comment from Takashi Iwai This patch fixes the mixer patch below: https://patchwork.linuxtv.org/patch/31827/ sound/usb/media.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/usb/media.c b/sound/usb/media.c index bebe27b..b0d283f 100644 --- a/sound/usb/media.c +++ b/sound/usb/media.c @@ -233,8 +233,8 @@ int media_mixer_init(struct snd_usb_audio *chip) if (mixer->media_mixer_ctl) continue; - /* allocate media_ctl */ - mctl = kzalloc(sizeof(struct media_ctl), GFP_KERNEL); + /* allocate media_mixer_ctl */ + mctl = kzalloc(sizeof(*mctl), GFP_KERNEL); if (!mctl) return -ENOMEM;