Patch "ALSA: pcm: oss: Limit the period size to 16MB" has been added to the 4.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 12 Dec 2021 13:41:41 +0100

This is a note to let you know that I've just added the patch titled

    ALSA: pcm: oss: Limit the period size to 16MB

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     alsa-pcm-oss-limit-the-period-size-to-16mb.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@xxxxxxx>
Date: Wed, 1 Dec 2021 08:36:05 +0100
Subject: ALSA: pcm: oss: Limit the period size to 16MB

From: Takashi Iwai <tiwai@xxxxxxx>

commit 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 upstream.

Set the practical limit to the period size (the fragment shift in OSS)
instead of a full 31bit; a too large value could lead to the exhaust
of memory as we allocate temporary buffers of the period size, too.

As of this patch, we set to 16MB limit, which should cover all use
cases.

Reported-by: syzbot+bb348e9f9a954d42746f@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: Bixuan Cui <cuibixuan@xxxxxxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@xxxxxxxxxxxxxxxxx
Link: https://lore.kernel.org/r/20211201073606.11660-3-tiwai@xxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 sound/core/oss/pcm_oss.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -2018,7 +2018,7 @@ static int snd_pcm_oss_set_fragment1(str
 	if (runtime->oss.subdivision || runtime->oss.fragshift)
 		return -EINVAL;
 	fragshift = val & 0xffff;
-	if (fragshift >= 31)
+	if (fragshift >= 25) /* should be large enough */
 		return -EINVAL;
 	runtime->oss.fragshift = fragshift;
 	runtime->oss.maxfrags = (val >> 16) & 0xffff;


Patches currently in stable-queue which might be from tiwai@xxxxxxx are

queue-4.4/alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch
queue-4.4/alsa-ctl-fix-copy-of-updated-id-with-element-read-write.patch
queue-4.4/alsa-pcm-oss-limit-the-period-size-to-16mb.patch
queue-4.4/alsa-pcm-oss-fix-negative-period-buffer-sizes.patch






