From patchwork Thu Mar  8 20:06:53 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10269115
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	C1C54602C8 for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu,  8 Mar 2018 20:07:06 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ADD8C29B32
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu,  8 Mar 2018 20:07:06 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A1D3F29B35; Thu,  8 Mar 2018 20:07:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DBE9A29B32
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu,  8 Mar 2018 20:07:05 +0000 (UTC)
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id F147726743C;
	Thu,  8 Mar 2018 21:07:03 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 50739267442; Thu,  8 Mar 2018 21:07:01 +0100 (CET)
Received: from mail-pf0-f193.google.com (mail-pf0-f193.google.com
	[209.85.192.193])
	by alsa0.perex.cz (Postfix) with ESMTP id BC21E2673F5
	for <alsa-devel@alsa-project.org>;
	Thu,  8 Mar 2018 21:06:58 +0100 (CET)
Received: by mail-pf0-f193.google.com with SMTP id z10so336922pfh.13
	for <alsa-devel@alsa-project.org>;
	Thu, 08 Mar 2018 12:06:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google;
	h=date:from:to:cc:subject:message-id:mime-version:content-disposition;
	bh=su41tWFToKkRgkkEP3AuaTHmjeRol5HVmNZvvpTVHVI=;
	b=jrsbgrt4muvMvX9wYyYw2ZgoUTT1b7eeQLyalgHCiUnNmRq22wjmYWjXvq3Ok4WPGE
	t4joUCYUqnIyAb5/8WFT6OVv981jjEunuEgWCW1ISE1rAGCSQwgc913ufUuBBgbDkUPN
	QtemvmcfpK1Wm1IgSefFM8uR2+axAelKgu5oY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-disposition;
	bh=su41tWFToKkRgkkEP3AuaTHmjeRol5HVmNZvvpTVHVI=;
	b=m6t+ybYA0D7VwaBS91Oezlcd7j6oeI8yUe21pir68zRir/dmuqOVENgsSVI9DoAtmo
	TP4Vy1CjQgAqTLqgo0tvoSWiwfowf5izpFpt3PHPPmRHueXWTo+5xBa8k9AonGn5wV3v
	f3hEGIaGyhP/5yDye3oozCRswVW9YD8ca3bhCEcWXJOWYXlo0U92Ki8vdadHDRFxSbjW
	mUITXt7DKp0OjjGKSvnKK9Gd2WuJlH+yn+yEH4dAujaAGxLHulpeWaq7o/vFqGEv5YCg
	NKFpuSMBIjwf7wge1EBU5TO8kQo8eDD1DUM1OL+2/FMG/G6NuhYRVprosjkJoHi1csOO
	JHCQ==
X-Gm-Message-State: APf1xPCncl0qKVylAJCvm3vGympPsqg05lhOF0wsSMvAu+2IFz2GrHOa
	CX0XuxcXEZLkc2EEK8DXJ0heNiL5ptU=
X-Google-Smtp-Source: 
 AG47ELtel4LXml+A5rIa3iMnoFoOrXm85s6HxM06IwjvJ1KH/vdqE6nxQYAd7LzqHSfRFwXKUEjcHQ==
X-Received: by 10.98.17.147 with SMTP id 19mr27144499pfr.160.1520539616335;
	Thu, 08 Mar 2018 12:06:56 -0800 (PST)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	202sm45539pgh.63.2018.03.08.12.06.54
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 08 Mar 2018 12:06:55 -0800 (PST)
Date: Thu, 8 Mar 2018 12:06:53 -0800
From: Kees Cook <keescook@chromium.org>
To: Takashi Iwai <tiwai@suse.com>
Message-ID: <20180308200653.GA47801@beast>
MIME-Version: 1.0
Content-Disposition: inline
Cc: alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
	Liam Girdwood <lgirdwood@gmail.com>, Mark Brown <broonie@kernel.org>,
	Pavel Machek <pavel@ucw.cz>
Subject: [alsa-devel] [PATCH] ASoC: soc-core: Add missing NULL check
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

If a codec is not attached to the sound soc, a NULL deref is possible as a
regular user in /sys.

[ 2278.331878] DSS: context saved
[ 2278.820343] Unable to handle kernel NULL pointer dereference at virtual address 00000004
[ 2278.828948] pgd = c36040a2
[ 2278.831787] [00000004] *pgd=876c4831, *pte=00000000, *ppte=00000000
[ 2278.838439] Internal error: Oops: 17 [#1] ARM
[ 2278.843017] Modules linked in:
[ 2278.846221] CPU: 0 PID: 16337 Comm: grep Tainted: G        W 4.16.0-rc4-next-20180308 #71
[ 2278.855529] Hardware name: Nokia RX-51 board
[ 2278.860015] PC is at soc_codec_reg_show+0x8/0x19c
[ 2278.864959] LR is at codec_reg_show+0x28/0x30

Reported-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
No idea if this is the _right_ fix, but it should stop the crash from
unprivileged userspace.
---
 sound/soc/soc-core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 96c44f6576c9..78ad165ad424 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -137,6 +137,9 @@ static ssize_t soc_codec_reg_show(struct snd_soc_codec *codec, char *buf,
 	size_t total = 0;
 	loff_t p = 0;
 
+	if (!codec || !codec->driver)
+		return 0;
+
 	wordsize = min_bytes_needed(codec->driver->reg_cache_size) * 2;
 	regsize = codec->driver->reg_word_size * 2;