On Mon, Jan 18, 2016 at 2:17 PM, Takashi Iwai <tiwai@xxxxxxx> wrote:
> On Mon, 18 Jan 2016 13:59:49 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> The following program triggers a BUG in snd_ctl_find_numid:
>
> Do I understand correctly that you meant a kernel WARNING with a stack
> trace as a "BUG"? If so, the patch below should cover it.
Yes, I guess it's just a BUG warning message.
> thanks,
>
> Takashi
>
> -- 8< --
> From: Takashi Iwai <tiwai@xxxxxxx>
> Subject: [PATCH] ALSA: control: Avoid kernel warnings from tlv ioctl with
> numid 0
>
> When a TLV ioctl with numid zero is handled, the driver may spew a
> kernel warning with a stack trace at each call. The check was
> intended obviously only for a kernel driver, but not for a user
> interaction. Let's fix it.
>
> This was spotted by syzkaller fuzzer.
>
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> ---
> sound/core/control.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/sound/core/control.c b/sound/core/control.c
> index 196a6fe100ca..a85d45595d02 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
> return -EFAULT;
> if (tlv.length < sizeof(unsigned int) * 2)
> return -EINVAL;
> + if (!tlv.numid)
> + return -EINVAL;
> down_read(&card->controls_rwsem);
> kctl = snd_ctl_find_numid(card, tlv.numid);
> if (kctl == NULL) {
> --
> 2.7.0
>
_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
