[alsa-devel] [PATCH 0/2] Harden proc interface
Hi,
here is a small patch series to harden the accesses to ALSA proc files. Both are marked with v4.2+ stable, just because they are cleanly applicable since that version due to the code rewrite at 4.2.
Takashi
===
Takashi Iwai (2): ALSA: info: Limit the proc text input size ALSA: info: Return error for invalid read/write
sound/core/info.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
The ALSA proc handler allows currently the write in the unlimited size until kmalloc() fails. But basically the write is supposed to be only for small inputs, mostly for one line inputs, and we don't have to handle too large sizes at all. Since the kmalloc error results in the kernel warning, it's better to limit the size beforehand.
This patch adds the limit of 16kB, which must be large enough for the currently existing code.
Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Takashi Iwai tiwai@suse.de --- sound/core/info.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/sound/core/info.c b/sound/core/info.c index 895362a696c9..291d6ed80d80 100644 --- a/sound/core/info.c +++ b/sound/core/info.c @@ -329,6 +329,9 @@ static ssize_t snd_info_text_entry_write(struct file *file, if (!valid_pos(pos, count)) return -EIO; next = pos + count; + /* don't handle too large text inputs */ + if (next > 16 * 1024) + return -EIO; mutex_lock(&entry->access); buf = data->wbuffer; if (!buf) {
Currently the ALSA proc handler allows read or write even if the proc file were write-only or read-only. It's mostly harmless, does thing but allocating memory and ignores the input/output. But it doesn't tell user about the invalid use, and it's confusing and inconsistent in comparison with other proc files.
This patch adds some sanity checks and let the proc handler returning an -EIO error when the invalid read/write is performed.
Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Takashi Iwai tiwai@suse.de --- sound/core/info.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sound/core/info.c b/sound/core/info.c index 291d6ed80d80..8ab72e0f5932 100644 --- a/sound/core/info.c +++ b/sound/core/info.c @@ -325,6 +325,8 @@ static ssize_t snd_info_text_entry_write(struct file *file, size_t next; int err = 0;
+ if (!entry->c.text.write) + return -EIO; pos = *offset; if (!valid_pos(pos, count)) return -EIO; @@ -369,7 +371,9 @@ static int snd_info_seq_show(struct seq_file *seq, void *p) struct snd_info_private_data *data = seq->private; struct snd_info_entry *entry = data->entry;
- if (entry->c.text.read) { + if (!entry->c.text.read) { + return -EIO; + } else { data->rbuffer->buffer = (char *)seq; /* XXX hack! */ entry->c.text.read(entry, data->rbuffer); }
participants (1)
-
Takashi Iwai