[alsa-devel] sound: BUG in snd_ctl_find_numid
Hello,
The following program triggers a BUG in snd_ctl_find_numid:
// autogenerated by syzkaller (http://github.com/google/syzkaller) #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/ioctl.h> #include <sound/asound.h>
int main() { struct snd_ctl_tlv tlv; int fd = open("/dev/snd/controlC0", O_RDWR); tlv.numid = 0; tlv.length = 8; ioctl(fd, SNDRV_CTL_IOCTL_TLV_WRITE, &tlv); return 0; }
------------[ cut here ]------------ WARNING: CPU: 1 PID: 29204 at sound/core/control.c:668 snd_ctl_find_numid+0xff/0x130() Modules linked in: CPU: 1 PID: 29204 Comm: a.out Tainted: G W 4.4.0+ #259 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 00000000ffffffff ffff88005e55fb30 ffffffff8298accd 0000000000000000 ffff8800647caf80 ffffffff86d23d80 ffff88005e55fb70 ffffffff81352089 ffffffff84f16b3f ffffffff86d23d80 000000000000029c ffff88002402cb60 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff8298accd>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [<ffffffff84f16b3f>] snd_ctl_find_numid+0xff/0x130 sound/core/control.c:668 [<ffffffff84f1caf9>] snd_ctl_tlv_ioctl+0x119/0x680 sound/core/control.c:1409 [<ffffffff84f1f88b>] snd_ctl_ioctl+0x24b/0xdd0 sound/core/control.c:1501 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff817ebfac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674 [< inline >] SYSC_ioctl fs/ioctl.c:689 [<ffffffff817ece5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680 [<ffffffff863259b6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 ---[ end trace 010bca66b8d6c52a ]---
On commit 5807fcaa9bf7dd87241df739161c119cf78a6bc4.
On Mon, 18 Jan 2016 13:59:49 +0100, Dmitry Vyukov wrote:
Hello,
The following program triggers a BUG in snd_ctl_find_numid:
Do I understand correctly that you meant a kernel WARNING with a stack trace as a "BUG"? If so, the patch below should cover it.
thanks,
Takashi
-- 8< -- From: Takashi Iwai tiwai@suse.de Subject: [PATCH] ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
When a TLV ioctl with numid zero is handled, the driver may spew a kernel warning with a stack trace at each call. The check was intended obviously only for a kernel driver, but not for a user interaction. Let's fix it.
This was spotted by syzkaller fuzzer.
Reported-by: Dmitry Vyukov dvyukov@google.com Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de --- sound/core/control.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/sound/core/control.c b/sound/core/control.c index 196a6fe100ca..a85d45595d02 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file, return -EFAULT; if (tlv.length < sizeof(unsigned int) * 2) return -EINVAL; + if (!tlv.numid) + return -EINVAL; down_read(&card->controls_rwsem); kctl = snd_ctl_find_numid(card, tlv.numid); if (kctl == NULL) {
On Mon, Jan 18, 2016 at 2:17 PM, Takashi Iwai tiwai@suse.de wrote:
On Mon, 18 Jan 2016 13:59:49 +0100, Dmitry Vyukov wrote:
Hello,
The following program triggers a BUG in snd_ctl_find_numid:
Do I understand correctly that you meant a kernel WARNING with a stack trace as a "BUG"? If so, the patch below should cover it.
Yes, I guess it's just a BUG warning message.
thanks,
Takashi
-- 8< -- From: Takashi Iwai tiwai@suse.de Subject: [PATCH] ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
When a TLV ioctl with numid zero is handled, the driver may spew a kernel warning with a stack trace at each call. The check was intended obviously only for a kernel driver, but not for a user interaction. Let's fix it.
This was spotted by syzkaller fuzzer.
Reported-by: Dmitry Vyukov dvyukov@google.com Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de
sound/core/control.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/sound/core/control.c b/sound/core/control.c index 196a6fe100ca..a85d45595d02 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file, return -EFAULT; if (tlv.length < sizeof(unsigned int) * 2) return -EINVAL;
if (!tlv.numid)
return -EINVAL; down_read(&card->controls_rwsem); kctl = snd_ctl_find_numid(card, tlv.numid); if (kctl == NULL) {
-- 2.7.0
participants (2)
-
Dmitry Vyukov
-
Takashi Iwai