Commit 84d2099e authored Aug 15, 2018 by Erick Reyes Committed by Greg Kroah-Hartman Aug 17, 2018

ALSA: info: Check for integer overflow in snd_info_entry_write()



Commit 4adb7bcbcb69 ("ALSA: core: Use seq_file for text proc file
reads") heavily refactored ALSA procfs and fixed the overflow as
a side-effect, so this fix only applies to kernels < 4.2 and
there is no upstream equivalent

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Erick Reyes <erickreyes@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 208255c7

sound/core/info.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -253,6 +253,7 @@ static ssize_t snd_info_entry_write(struct file file, const char __user buffer
		struct snd_info_buffer *buf;
		ssize_t size = 0;
		loff_t pos;
		unsigned long realloc_size;

		data = file->private_data;
		if (snd_BUG_ON(!data))
		@@ -261,7 +262,8 @@ static ssize_t snd_info_entry_write(struct file file, const char __user buffer
		pos = *offset;
		if (pos < 0 \|\| (long) pos != pos \|\| (ssize_t) count < 0)
		return -EIO;
		if ((unsigned long) pos + (unsigned long) count < (unsigned long) pos)
		realloc_size = (unsigned long) pos + (unsigned long) count;
		if (realloc_size < (unsigned long) pos \|\| realloc_size > UINT_MAX)
		return -EIO;
		switch (entry->content) {
		case SNDRV_INFO_CONTENT_TEXT: