[RFC v2] ALSA: control: fix a error handling exist in snd_ctl_elem_add

Takashi Iwai tiwai at suse.de
Tue Apr 14 08:54:34 CEST 2020


On Tue, 14 Apr 2020 08:51:09 +0200,
yangerkun wrote:
> 
> CVE-2020-11725 report that 'count = info->owner' may result a
> SIZE_OVERFLOW. 'info->owner' represent a pid, and actually, we should
> use info->count.
> 
> Signed-off-by: yangerkun <yangerkun at huawei.com>

The CVE report is simply wrong.  info->owner is used intentionally for
this specific API to add a user-space control.  For the normal kernel
kctls, the field is used indeed for storing the pid, but but the
user-space kctl addition API usage is an exception.

You can see the another use of info->count of field in the very same
function at a later point and find it has a different meaning.

The CVE should be disputed.


thanks,

Takashi

> ---
>  sound/core/control.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> v1->v2: reword the patch head
> 
> diff --git a/sound/core/control.c b/sound/core/control.c
> index aa0c0cf182af..c77ca7f39637 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -1431,7 +1431,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
>  		return -ENOMEM;
>  
>  	/* Check the number of elements for this userspace control. */
> -	count = info->owner;
> +	count = info->count;
>  	if (count == 0)
>  		count = 1;
>  
> -- 
> 2.21.1
> 


More information about the Alsa-devel mailing list