[RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add
CVE-2020-11725 report that 'count = info->owner' may result a SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should use info->count.
Signed-off-by: yangerkun yangerkun@huawei.com --- sound/core/control.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
v1->v2: reword the patch head
diff --git a/sound/core/control.c b/sound/core/control.c index aa0c0cf182af..c77ca7f39637 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, return -ENOMEM;
/* Check the number of elements for this userspace control. */ - count = info->owner; + count = info->count; if (count == 0) count = 1;
On Tue, 14 Apr 2020 08:51:09 +0200, yangerkun wrote:
CVE-2020-11725 report that 'count = info->owner' may result a SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should use info->count.
Signed-off-by: yangerkun yangerkun@huawei.com
The CVE report is simply wrong. info->owner is used intentionally for this specific API to add a user-space control. For the normal kernel kctls, the field is used indeed for storing the pid, but but the user-space kctl addition API usage is an exception.
You can see the another use of info->count of field in the very same function at a later point and find it has a different meaning.
The CVE should be disputed.
thanks,
Takashi
sound/core/control.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
v1->v2: reword the patch head
diff --git a/sound/core/control.c b/sound/core/control.c index aa0c0cf182af..c77ca7f39637 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, return -ENOMEM;
/* Check the number of elements for this userspace control. */
- count = info->owner;
- count = info->count; if (count == 0) count = 1;
-- 2.21.1
On 2020/4/14 14:54, Takashi Iwai wrote:
On Tue, 14 Apr 2020 08:51:09 +0200, yangerkun wrote:
CVE-2020-11725 report that 'count = info->owner' may result a SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should use info->count.
Signed-off-by: yangerkun yangerkun@huawei.com
The CVE report is simply wrong. info->owner is used intentionally for this specific API to add a user-space control. For the normal kernel kctls, the field is used indeed for storing the pid, but but the user-space kctl addition API usage is an exception.
You can see the another use of info->count of field in the very same function at a later point and find it has a different meaning.
The CVE should be disputed.
Got it! Thanks for your reply.
thanks,
Takashi
sound/core/control.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
v1->v2: reword the patch head
diff --git a/sound/core/control.c b/sound/core/control.c index aa0c0cf182af..c77ca7f39637 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, return -ENOMEM;
/* Check the number of elements for this userspace control. */
- count = info->owner;
- count = info->count; if (count == 0) count = 1;
-- 2.21.1
.
participants (2)
-
Takashi Iwai -
yangerkun