git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Wed, 4 Dec 2019 14:48:24 +0000 (15:48 +0100)
committer	Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
	Fri, 17 Jan 2020 17:22:24 +0000 (14:22 -0300)
commit	90bf03840cc1e3ba92d0fdffdc05cff6c0a46bd1
tree	cf4a8016550cf143c6a8b3d97aabcb09d3f400d1	tree
parent	00ed075f755b116a7c2fe9f3f65dc54eecc31114	commit \| diff

ALSA: pcm: oss: Avoid potential buffer overflows

BugLink: https://bugs.launchpad.net/bugs/1857158
commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream.

syzkaller reported an invalid access in PCM OSS read, and this seems
to be an overflow of the internal buffer allocated for a plugin.
Since the rate plugin adjusts its transfer size dynamically, the
calculation for the chained plugin might be bigger than the given
buffer size in some extreme cases, which lead to such an buffer
overflow as caught by KASAN.

Fix it by limiting the max transfer size properly by checking against
the destination size in each plugin transfer callback.

Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

sound/core/oss/linear.c		diff \| blob \| blame \| history
sound/core/oss/mulaw.c		diff \| blob \| blame \| history
sound/core/oss/route.c		diff \| blob \| blame \| history