Commit 2e30ca4e authored Jul 17, 2020 by Takashi Iwai Committed by TARKZiM Aug 28, 2020

ALSA: info: Drop WARN_ON() from buffer NULL sanity check



commit 60379ba08532eca861e933b389526a4dc89e0c42 upstream.

snd_info_get_line() has a sanity check of NULL buffer -- both buffer
itself being NULL and buffer->buffer being NULL.  Basically both
checks are valid and necessary, but the problem is that it's with
snd_BUG_ON() macro that triggers WARN_ON().  The latter condition
(NULL buffer->buffer) can be met arbitrarily by user since the buffer
is allocated at the first write, so it means that user can trigger
WARN_ON() at will.

This patch addresses it by simply moving buffer->buffer NULL check out
of snd_BUG_ON() so that spurious WARNING is no longer triggered.

Reported-by:  <syzbot+e42d0746c3c3699b6061@syzkaller.appspotmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200717084023.5928-1-tiwai@suse.de


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: Ib2982f1bfd375ce7ac022071607de4e6c498acc1

parent 7a823eb5

sound/core/info.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -691,7 +691,9 @@ int snd_info_get_line(struct snd_info_buffer buffer, char line, int len)
		{
		int c = -1;

		if (snd_BUG_ON(!buffer \|\| !buffer->buffer))
		if (snd_BUG_ON(!buffer))
		return 1;
		if (!buffer->buffer)
		return 1;
		if (len <= 0 \|\| buffer->stop \|\| buffer->error)
		return 1;