From patchwork Tue Jan 14 15:44:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin King X-Patchwork-Id: 11332543 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BB8D26C1 for ; Tue, 14 Jan 2020 15:45:14 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D0D26207FF for ; Tue, 14 Jan 2020 15:45:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=alsa-project.org header.i=@alsa-project.org header.b="kZjvexwu" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D0D26207FF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=canonical.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=alsa-devel-bounces@alsa-project.org Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id D4D1B179D; Tue, 14 Jan 2020 16:44:23 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz D4D1B179D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1579016711; bh=OD1paoCfLDj9o2XyQYxcL03esyY8sLb+NkARM3IGwxI=; h=From:To:Date:Cc:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=kZjvexwuc0qx85mMwQ7wU7J9TUsJBtnJD9y4lbmY+yFhNo7gtxd/gnAi20sgjh8t/ TtY4G+jmABdZGykyLv96hQuuzYzhxsOewb9GXnVTYznYp8GVVYvDQgZr56dO7NgFiD 5Fd4izCFRiHNj/wCX2fZkXRrnwvfq1m5iJN34Hss= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id 4E143F8014D; Tue, 14 Jan 2020 16:44:23 +0100 (CET) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa1.perex.cz (Postfix, from userid 50401) id CFC96F8014E; Tue, 14 Jan 2020 16:44:20 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on alsa1.perex.cz X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,SURBL_BLOCKED,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id D53C9F800B9 for ; Tue, 14 Jan 2020 16:44:14 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz D53C9F800B9 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1irOMW-0004SH-W0; Tue, 14 Jan 2020 15:44:13 +0000 From: Colin King To: Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org Date: Tue, 14 Jan 2020 15:44:12 +0000 Message-Id: <20200114154412.365395-1-colin.king@canonical.com> X-Mailer: git-send-email 2.24.0 MIME-Version: 1.0 Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [alsa-devel] [PATCH] ALSA: hda - fix out of bounds read on spec->smux_paths X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" From: Colin Ian King It is possible for the call to snd_hda_get_num_conns to fail and return a negative error code that gets assigned to num_conns. In that specific case, the check of very large values of val against num_conns will not fail the -EINVAL check and later on an out of bounds array read on spec->smux_paths will occur. Fix this by sanity checking for an error return from the call to snd_hda_get_num_conns. Addresses-Coverity: ("Out-of-bounds read") Fixes: 272f3ea31776 ("ALSA: hda - Add SPDIF mux control to AD codec auto-parser") Signed-off-by: Colin Ian King --- sound/pci/hda/patch_analog.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sound/pci/hda/patch_analog.c b/sound/pci/hda/patch_analog.c index 88c46b051d14..399561369495 100644 --- a/sound/pci/hda/patch_analog.c +++ b/sound/pci/hda/patch_analog.c @@ -756,9 +756,11 @@ static int ad1988_auto_smux_enum_put(struct snd_kcontrol *kcontrol, struct ad198x_spec *spec = codec->spec; unsigned int val = ucontrol->value.enumerated.item[0]; struct nid_path *path; - int num_conns = snd_hda_get_num_conns(codec, 0x0b) + 1; + int num_conns = snd_hda_get_num_conns(codec, 0x0b); - if (val >= num_conns) + if (num_conns < 0) + return num_conns; + if (val >= num_conns + 1) return -EINVAL; if (spec->cur_smux == val) return 0;