[alsa-devel] [PATCH] hda: add bounds checking for the codec command fields v2

Takashi Iwai tiwai at suse.de
Fri Jul 17 11:28:52 CEST 2009 

At Fri, 17 Jul 2009 16:49:19 +0800,
Wu Fengguang wrote:
> 
> On Fri, Jul 17, 2009 at 04:27:03PM +0800, Wu Fengguang wrote:
> > On Fri, Jul 17, 2009 at 04:24:10PM +0800, Wu Fengguang wrote:
> > > A recent bug involves passing auto detected >0x7f NID to codec command,
> > > creating an invalid codec addr field, and finally lead to cmd timeout
> > > and fall back into single command mode. Jaroslav fixed that bug in
> > > alc880_parse_auto_config().
> > > 
> > > It would be safer to further check the bounds of all cmd fields.
> > > 
> > > Cc: Jaroslav Kysela <perex at perex.cz>
> > > Signed-off-by: Wu Fengguang <fengguang.wu at intel.com>
> > > ---
> > > diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
> > > index 462e2ce..7d09650 100644
> > > --- a/sound/pci/hda/hda_codec.c
> > > +++ b/sound/pci/hda/hda_codec.c
> > > @@ -150,6 +150,16 @@ make_codec_cmd(struct hda_codec *codec, hda_nid_t nid, int direct,
> > >  {
> > >  	u32 val;
> > >  
> > > +	if ((direct & ~1) || (nid & ~0x7f) ||
> > > +	    (verb & ~0xfff) || (parm & ~0xff)) {
> > > +		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
> > > +		       codec->addr, direct, nid, verb, parm);
> > 
> > Maybe we shall simply return here?
> 
> Here it is :)
> 
> ---
> hda: add bounds checking for the codec command fields
> 
> A recent bug involves passing auto detected >0x7f NID to codec command,
> creating an invalid codec addr field, and finally lead to cmd timeout
> and fall back into single command mode. Jaroslav fixed that bug in
> alc880_parse_auto_config().
> 
> It would be safer to further check the bounds of all cmd fields.
> 
> Cc: Jaroslav Kysela <perex at perex.cz>
> Signed-off-by: Wu Fengguang <fengguang.wu at intel.com>

Looks good.  Applied now.

Thanks!

Takashi


> ---
>  sound/pci/hda/hda_codec.c |   12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> --- sound-2.6.orig/sound/pci/hda/hda_codec.c
> +++ sound-2.6/sound/pci/hda/hda_codec.c
> @@ -150,7 +150,14 @@ make_codec_cmd(struct hda_codec *codec, 
>  {
>  	u32 val;
>  
> -	val = (u32)(codec->addr & 0x0f) << 28;
> +	if ((codec->addr & ~0xf) | (direct & ~1) | (nid & ~0x7f) |
> +	    (verb & ~0xfff) | (parm & ~0xff)) {
> +		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
> +		       codec->addr, direct, nid, verb, parm);
> +		return ~0;
> +	}
> +
> +	val = (u32)codec->addr << 28;
>  	val |= (u32)direct << 27;
>  	val |= (u32)nid << 20;
>  	val |= verb << 8;
> @@ -167,6 +174,9 @@ static int codec_exec_verb(struct hda_co
>  	struct hda_bus *bus = codec->bus;
>  	int err;
>  
> +	if (cmd == ~0)
> +		return -1;
> +
>  	if (res)
>  		*res = -1;
>   again:
>

More information about the Alsa-devel mailing list