[PATCH] ALSA: pcm: oss: Avoid plugin buffer overflow
Serge Belyshev
belyshev at depni.sinp.msu.ru
Thu Apr 30 18:34:02 CEST 2020
> ...
>
> This patch addresses those possible buffer overflow accesses by simply
> setting the upper limit per the given buffer size for each plugin
> before src_frames() and after dst_frames() calls.
Hi!
This patch breaks any output via oss interface, as evident by "mpv
--ao=oss somefile.mp3" or "mpg123 -o oss somefile.mp3" or just "cat
/dev/urandom > /dev/dsp", which worked previously in kernel version 5.5
but not any longer starting with 5.6.
It appears here that plugin->buf_frames is zero which results in ENXIO
returned to userspace.
> ...
> --- a/sound/core/oss/pcm_plugin.c
> +++ b/sound/core/oss/pcm_plugin.c
> @@ -209,6 +209,8 @@ snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *plug, snd_p
> if (stream == SNDRV_PCM_STREAM_PLAYBACK) {
> plugin = snd_pcm_plug_last(plug);
> while (plugin && drv_frames > 0) {
> + if (drv_frames > plugin->buf_frames)
> + drv_frames = plugin->buf_frames;
> plugin_prev = plugin->prev;
> if (plugin->src_frames)
> drv_frames = plugin->src_frames(plugin, drv_frames);
> ...
More information about the Alsa-devel
mailing list