On Thu, Jan 28, 2016 at 05:19:21PM +0100, Takashi Iwai wrote:
> The line number doesn't match with the latest code in git, so
> double-check that the problem happens with the latest alsa-lib and
> alsa-utils, too.
I am on debian packages 1.0.27
> I'm thinking whether this is rather an issue in the kernel driver
> side. In skl_tplg_tlv_control_get(),
I think you are right, the buffer would overflow which would cause heap to
go bad and free goes crashing
>
> if (bc->params) {
> if (copy_to_user(data, &bc->param_id, sizeof(u32)))
> return -EFAULT;
> if (copy_to_user(data + 1, &size, sizeof(u32)))
> return -EFAULT;
> if (copy_to_user(data + 2, bc->params, size))
> return -EFAULT;
> }
>
> But here, size is the size of the whole container, not the size in the
> container. In the code above, you're copying size+8 bytes total and
> this breaks the boundary already.
Right, also I think we need to check for size vs size of parameters. We
don't want to copy kernel memory to usermode if usermode gave a larger
buffer
Let me test this, thanks for pointing
--
~Vinod
_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
