At Thu, 21 Aug 2014 20:55:21 +0200,
Clemens Ladisch wrote:
>
> Tommi Rantala wrote:
> > Trinity discovered that writing 128 bytes to
> > /proc/asound/card0/oss_mixer triggers a stack corruption.
> >
> > Call Trace:
> > [<ffffffff8113c716>] __stack_chk_fail+0x16/0x20
> > [<ffffffff81e193ba>] snd_mixer_oss_proc_write+0x24a/0x270
>
> snd_info_get_line() wants the len parameter to be one less than the
> buffer size, but it isn't:
>
> while (!snd_info_get_line(buffer, line, sizeof(line))) {
>
> Not that *any* other caller got it correct either:
>
> sound/core/oss/pcm_oss.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/core/pcm.c: if (!snd_info_get_line(buffer, line, sizeof(line)))
> sound/core/pcm_memory.c: if (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/drivers/dummy.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/ac97/ac97_proc.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/ca0106/ca0106_proc.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/ca0106/ca0106_proc.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/ca0106/ca0106_proc.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/emu10k1/emu10k1x.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/emu10k1/emuproc.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/emu10k1/emuproc.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/hda/hda_eld.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/ice1712/pontis.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/ice1712/prodigy_hifi.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/lola/lola_proc.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
> sound/pci/pcxhr/pcxhr.c: while (!snd_info_get_line(buffer, line, sizeof(line))) {
>
> Oh well. At least these proc files are writable only by root, and the
> fix is easy:
Indeed. Applied now, thanks.
Takashi
>
> --8<---------------------------------------------------------------->8--
> ALSA: core: fix buffer overflow in snd_info_get_line()
>
> snd_info_get_line() documents that its last parameter must be one
> less than the buffer size, but this API design guarantees that
> (literally) every caller gets it wrong.
>
> Just change this parameter to have its obvious meaning.
>
> Reported-by: Tommi Rantala <tt.rantala@xxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # v2.2.26+
> Signed-off-by: Clemens Ladisch <clemens@xxxxxxxxxx>
> ---
> sound/core/info.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> --- a/sound/core/info.c
> +++ b/sound/core/info.c
> @@ -684,7 +684,7 @@ int snd_info_card_free(struct snd_card *card)
> * snd_info_get_line - read one line from the procfs buffer
> * @buffer: the procfs buffer
> * @line: the buffer to store
> - * @len: the max. buffer size - 1
> + * @len: the max. buffer size
> *
> * Reads one line from the buffer and stores the string.
> *
> @@ -704,7 +704,7 @@ int snd_info_get_line(struct snd_info_buffer *buffer, char *line, int len)
> buffer->stop = 1;
> if (c == '\n')
> break;
> - if (len) {
> + if (len > 1) {
> len--;
> *line++ = c;
> }
>
--
To unsubscribe from this list: send the line "unsubscribe trinity" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
