[Bug Report]Sound: sound/core/hwdep.c undefined result by left shifting 1 by 31
Changming Liu
liu.changm at northeastern.edu
Fri May 22 01:32:00 CEST 2020
Hi Jaroslav, Takashi:
Greetings, I'm a first year PhD student who is interested in using UBSan for linux.
After some experiments, I found that in sound/core/hwdep.c function snd_hwdep_dsp_load
there might be an undefined behavior that might cause unexpected result.
More specifically, in this function,info was fetched from user space and,
info.index was checked if it's greater than or equal to 32.
If not then it's used as number of left shift bits to string literal 1.
The problem is, since string literal 1 is by default signed int, so 1 << 31 cannot be represented as a valid integer and
the result might be undefined across different platforms. So I guess change 1 to 1U might help?
Due to the lack of knowledge of the interaction between this module and others, I'm not able to assess if
this is critical or worth fixing. I'd appreciate if for your comment on this bug. This can help me understand UB a lot!
Looking forward to your response.
Best,
Changming Liu
More information about the Alsa-devel
mailing list