From patchwork Sat Jun 25 11:08:02 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bob Copeland X-Patchwork-Id: 9199289 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 707496075F for ; Sun, 26 Jun 2016 09:09:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5E98F284FE for ; Sun, 26 Jun 2016 09:09:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5280028535; Sun, 26 Jun 2016 09:09:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1 Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C0BE284FE for ; Sun, 26 Jun 2016 09:09:49 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id 7C56D266488; Sun, 26 Jun 2016 11:09:48 +0200 (CEST) Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id 48136261A2C; Sun, 26 Jun 2016 11:09:10 +0200 (CEST) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id 19908265134; Sat, 25 Jun 2016 13:08:15 +0200 (CEST) Received: from mail-io0-f196.google.com (mail-io0-f196.google.com [209.85.223.196]) by alsa0.perex.cz (Postfix) with ESMTP id F24DB2650DA for ; Sat, 25 Jun 2016 13:08:09 +0200 (CEST) Received: by mail-io0-f196.google.com with SMTP id s63so19309637ioi.3 for ; Sat, 25 Jun 2016 04:08:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bobcopeland-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=N+9xoSRH/BKXiwwOxNnoKP0hXC1SgurL+hmrHPilcA4=; b=luxxNPcU6f60JgYrraL1Qq6PYejD5GEoh2gRti959V/hqBrSEh5EiGJjdakGno2sv6 P57U3I02poyF41PAzuNdauB0YRMbklJYE+3g19ZYZUvAwr9Ig/CSgCSNicdwR84V+7VU jGo37/8IBc1IwzT+KNFNQBZv6ul5otWUyLU4PY1QyFYeLXkGei+tZhWSRjpllJ+2R7An kIJnk7gZ3pfJ1xrf8fqYSFcYuFcfPpjehH4cuXBNrbV5yr6tf8U+bCZ/wiCCrUYAQmRb kzHJJuU1sByOY6yxjcPpAuQ63iw8dAoeNIWRt4P8OjB2RTASqxYOzsna2d4W7FJvHDcw /qBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=N+9xoSRH/BKXiwwOxNnoKP0hXC1SgurL+hmrHPilcA4=; b=AhQ9IQE0SnHuioDlpfawmaRB7a8LluZZIqPsrGZeaHZ0gRlxqZp72BKjW13+cVAW2V oGSzJdV9RjBIreTdLFZOaZC1qjEN4fYWjVIgWDUXT/C9wqgu9LkRCrdOY2jozebrSwlZ 5kcKjP6+y2EbMGm5ZQaUwHJaVhsStMMhsvCyLjF5lI0NbTn7ezwhrdjOt9b+HvF3as5B ky3tSe2GAWPZ+oMhhSh0yYYKOj9OMfwuob8QzkAo2ba9PDzzsUPqoCylghyGi7VFxY4b ESi02H4M0LXoVj1pBMnMNR3XKKBO+g3qb+iARYe/QvoCVT7w8ACE34t2YnC5uhMFiHyf h3oQ== X-Gm-Message-State: ALyK8tJ3W5k1NCMD0xysRDyPQo15htyMvR5zh7slbGwdqLu/qfKoCrNvfIS65i2mB9/0PA== X-Received: by 10.107.162.12 with SMTP id l12mr9346952ioe.84.1466852888387; Sat, 25 Jun 2016 04:08:08 -0700 (PDT) Received: from hash (CPE0018e7fe5281-CM18593342f28f.cpe.net.cable.rogers.com. [99.254.238.186]) by smtp.gmail.com with ESMTPSA id q137sm394020itb.11.2016.06.25.04.08.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 Jun 2016 04:08:07 -0700 (PDT) Received: from bob by hash with local (Exim 4.84_2) (envelope-from ) id 1bGlRS-0003wN-DP; Sat, 25 Jun 2016 07:08:02 -0400 Date: Sat, 25 Jun 2016 07:08:02 -0400 From: Bob Copeland To: Takashi Iwai , Jaroslav Kysela Message-ID: <20160625110802.GA14579@localhost> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Sun, 26 Jun 2016 11:09:07 +0200 Cc: alsa-devel@alsa-project.org Subject: [alsa-devel] UBSAN bug in hda_generic.c X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP Hi, I have UBSAN reporting an out-of-bounds array access (see below) on my machine. The following patch fixes the warning for me, but not sure if that is just papering over some other bug. Thanks in advance for looking! From 551e904f7a7aea9e9c03c439e554100643239c5c Mon Sep 17 00:00:00 2001 From: Bob Copeland Date: Sat, 25 Jun 2016 06:53:44 -0400 Subject: [PATCH] ALSA: hda - fix read before array start UBSAN reports the following warning from accessing path->path[-1] in set_path_power(): [ 16.078040] ================================================================================ [ 16.078124] UBSAN: Undefined behaviour in sound/pci/hda/hda_generic.c:3981:17 [ 16.078198] index -1 is out of range for type 'hda_nid_t [10]' [ 16.078270] CPU: 2 PID: 1738 Comm: modprobe Not tainted 4.7.0-rc1-wt+ #47 [ 16.078274] Hardware name: LENOVO 3443CTO/3443CTO, BIOS G6ET23WW (1.02 ) 08/14/2012 [ 16.078278] ffff8800cb246000 ffff8800cb3638b8 ffffffff815c4fe3 0000000000000032 [ 16.078286] ffff8800cb3638e0 ffffffffffffffff ffff8800cb3638d0 ffffffff8162443d [ 16.078294] ffffffffa0894200 ffff8800cb363920 ffffffff81624af7 0000000000000292 [ 16.078302] Call Trace: [ 16.078311] [] dump_stack+0x86/0xd3 [ 16.078317] [] ubsan_epilogue+0xd/0x40 [ 16.078324] [] __ubsan_handle_out_of_bounds+0x67/0x70 [ 16.078335] [] set_path_power+0x1bf/0x230 [snd_hda_codec_generic] [ 16.078344] [] add_pin_power_ctls+0x8d/0xc0 [snd_hda_codec_generic] [ 16.078352] [] ? pin_power_down_callback+0x20/0x20 [snd_hda_codec_generic] [ 16.078360] [] add_all_pin_power_ctls+0x107/0x150 [snd_hda_codec_generic] [ 16.078370] [] snd_hda_gen_parse_auto_config+0x2d73/0x49e0 [snd_hda_codec_generic] [ 16.078376] [] ? trace_hardirqs_on_caller+0x1b0/0x2c0 [ 16.078390] [] alc_parse_auto_config+0x147/0x310 [snd_hda_codec_realtek] [ 16.078402] [] patch_alc269+0x23a/0x560 [snd_hda_codec_realtek] [ 16.078417] [] hda_codec_driver_probe+0xa4/0x1a0 [snd_hda_codec] [ 16.078424] [] driver_probe_device+0x101/0x380 [ 16.078430] [] __driver_attach+0xb9/0x100 [ 16.078438] [] ? driver_probe_device+0x380/0x380 [ 16.078444] [] bus_for_each_dev+0x70/0xc0 [ 16.078449] [] driver_attach+0x27/0x50 [ 16.078454] [] bus_add_driver+0x166/0x2c0 [ 16.078460] [] ? 0xffffffffa0369000 [ 16.078465] [] driver_register+0x7d/0x130 [ 16.078477] [] __hda_codec_driver_register+0x6f/0x90 [snd_hda_codec] [ 16.078488] [] realtek_driver_init+0x1e/0x1000 [snd_hda_codec_realtek] [ 16.078493] [] do_one_initcall+0x4e/0x1d0 [ 16.078499] [] ? rcu_read_lock_sched_held+0x6d/0x80 [ 16.078504] [] ? kmem_cache_alloc_trace+0x391/0x560 [ 16.078510] [] ? do_init_module+0x28/0x273 [ 16.078515] [] do_init_module+0x9b/0x273 [ 16.078522] [] load_module+0x20b2/0x3410 [ 16.078527] [] ? m_show+0x210/0x210 [ 16.078533] [] ? kernel_read+0x66/0xe0 [ 16.078541] [] SYSC_finit_module+0xba/0xc0 [ 16.078547] [] SyS_finit_module+0xe/0x10 [ 16.078552] [] entry_SYSCALL_64_fastpath+0x1f/0xbd [ 16.078556] ================================================================================ Fix by checking path->depth before use. Signed-off-by: Bob Copeland --- sound/pci/hda/hda_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c index 320445f3bf73..bc23a9d8e7b3 100644 --- a/sound/pci/hda/hda_generic.c +++ b/sound/pci/hda/hda_generic.c @@ -3978,7 +3978,7 @@ static hda_nid_t set_path_power(struct hda_codec *codec, hda_nid_t nid, for (n = 0; n < spec->paths.used; n++) { path = snd_array_elem(&spec->paths, n); if (path->path[0] == nid || - path->path[path->depth - 1] == nid) { + (path->depth > 0 && path->path[path->depth - 1] == nid)) { bool pin_old = path->pin_enabled; bool stream_old = path->stream_enabled;