git.baikalelectronics.ru Git - kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Wed, 4 Dec 2019 14:48:24 +0000 (15:48 +0100)
committer	Takashi Iwai <tiwai@suse.de>
	Wed, 4 Dec 2019 14:51:30 +0000 (15:51 +0100)
commit	0bc3b20ed45055a57328e2b9efbfc95d167c2380
tree	47516d45861f38b6a35029f906025922b0723ade	tree \| snapshot
parent	b35f451c677604da2e165042d71f0ad3fcf5bdc6	commit \| diff

ALSA: pcm: oss: Avoid potential buffer overflows

syzkaller reported an invalid access in PCM OSS read, and this seems
to be an overflow of the internal buffer allocated for a plugin.
Since the rate plugin adjusts its transfer size dynamically, the
calculation for the chained plugin might be bigger than the given
buffer size in some extreme cases, which lead to such an buffer
overflow as caught by KASAN.

Fix it by limiting the max transfer size properly by checking against
the destination size in each plugin transfer callback.

Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

sound/core/oss/linear.c		diff \| blob \| history
sound/core/oss/mulaw.c		diff \| blob \| history
sound/core/oss/route.c		diff \| blob \| history