From patchwork Tue May 28 05:27:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Banajit Goswami X-Patchwork-Id: 10963709 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DA51B92A for ; Tue, 28 May 2019 05:28:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BA87828567 for ; Tue, 28 May 2019 05:28:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A929928565; Tue, 28 May 2019 05:28:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D380328565 for ; Tue, 28 May 2019 05:28:15 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 11F1917BC; Tue, 28 May 2019 07:27:24 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 11F1917BC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1559021294; bh=zS4kOs12j60ezZE6WQ2EZH4am8alYSgnAMW6kZsNXgQ=; h=From:To:Date:Cc:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=Z7Hx4+54V6ZNM+HROhTMSnbzSo5aPkoL4Ucyt1g0Oo8pj5QtHZD5j794D8dpI9I/B px2Hq+DKiVMG8FxkRuxvazr7scCJGNrcYV5CKMpkMx2VAwG3GPrz5lLG/ozFauQViF IvBsIGHfJ3cdEf4gK8M67BT+9g/nzUJ9L9K77PC8= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id 8A6A4F896B8; Tue, 28 May 2019 07:27:23 +0200 (CEST) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa1.perex.cz (Postfix, from userid 50401) id DE2BBF896EB; Tue, 28 May 2019 07:27:21 +0200 (CEST) Received: from smtp.codeaurora.org (smtp.codeaurora.org [198.145.29.96]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id F2D10F808F6 for ; Tue, 28 May 2019 07:27:18 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz F2D10F808F6 Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="hmGPvOCX"; dkim=pass (1024-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="hmGPvOCX" Received: by smtp.codeaurora.org (Postfix, from userid 1000) id D838E60769; Tue, 28 May 2019 05:27:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1559021235; bh=COM27CLA5YPcjO6w0WncoMyHj7+7UOp0BdV0sWfuSqw=; h=From:To:Cc:Subject:Date:From; b=hmGPvOCX/3Wu+v3ZgpB9s6mi+wdWL5+S93sNJe0O8WYDboNu+5Sofom7oV1IXTiwd 9g3FotDJmNagi7Pl9BgcD7lmIuuxWDlj8tSjt8jjgL//fISXFDpBzGuwDFdyaLK8ZK U+WIrCyBlvfzsi6KaRZWswMFYoORdf1NP28QA7i0= Received: from localhost (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: bgoswami@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 594386030D; Tue, 28 May 2019 05:27:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1559021235; bh=COM27CLA5YPcjO6w0WncoMyHj7+7UOp0BdV0sWfuSqw=; h=From:To:Cc:Subject:Date:From; b=hmGPvOCX/3Wu+v3ZgpB9s6mi+wdWL5+S93sNJe0O8WYDboNu+5Sofom7oV1IXTiwd 9g3FotDJmNagi7Pl9BgcD7lmIuuxWDlj8tSjt8jjgL//fISXFDpBzGuwDFdyaLK8ZK U+WIrCyBlvfzsi6KaRZWswMFYoORdf1NP28QA7i0= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 594386030D Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=bgoswami@codeaurora.org From: bgoswami@codeaurora.org To: perex@perex.cz, tiwai@suse.com Date: Mon, 27 May 2019 22:27:03 -0700 Message-Id: <1559021223-28674-1-git-send-email-bgoswami@codeaurora.org> X-Mailer: git-send-email 1.9.1 Cc: alsa-devel@alsa-project.org, Banajit Goswami , plai@codeaurora.org, broonie@kernel.org, srinivas.kandagatla@linaro.org, Phani Kumar Uppalapati Subject: [alsa-devel] [PATCH] ALSA: pcm: Check for integer overflow during multiplication X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Phani Kumar Uppalapati Channel info data structure is parsed from userspace and if the number of channels is not set correctly, it could lead to integer overflow when the number of channels is multiplied with pcm bit width. Add a condition to check for integer overflow during the multiplication operationi, and return error if overflow detected. Signed-off-by: Phani Kumar Uppalapati Signed-off-by: Banajit Goswami --- sound/core/pcm_lib.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c index 345ab1a..f45ae3a 100644 --- a/sound/core/pcm_lib.c +++ b/sound/core/pcm_lib.c @@ -1718,6 +1718,11 @@ static int snd_pcm_lib_ioctl_channel_info(struct snd_pcm_substream *substream, switch (runtime->access) { case SNDRV_PCM_ACCESS_MMAP_INTERLEAVED: case SNDRV_PCM_ACCESS_RW_INTERLEAVED: + if ((UINT_MAX/width) < info->channel) { + snd_printd("%s: integer overflow in multiplication\n", + __func__); + return -EINVAL; + } info->first = info->channel * width; info->step = runtime->channels * width; break; @@ -1725,6 +1730,12 @@ static int snd_pcm_lib_ioctl_channel_info(struct snd_pcm_substream *substream, case SNDRV_PCM_ACCESS_RW_NONINTERLEAVED: { size_t size = runtime->dma_bytes / runtime->channels; + + if ((size > 0) && ((UINT_MAX/(size * 8)) < info->channel)) { + snd_printd("%s: integer overflow in multiplication\n", + __func__); + return -EINVAL; + } info->first = info->channel * size * 8; info->step = width; break;