[PATCH -next] ALSA: Fix oversized kvmalloc() calls

Takashi Iwai tiwai at suse.de
Tue Nov 30 12:39:27 CET 2021


On Tue, 30 Nov 2021 12:16:18 +0100,
Bixuan Cui wrote:
> 
> The commit 7661809d493b ("mm: don't allow oversized kvmalloc()
> calls") limits the max allocatable memory via kvzalloc() to MAX_INT.
> 
> Reported-by: syzbot+bb348e9f9a954d42746f at syzkaller.appspotmail.com
> Signed-off-by: Bixuan Cui <cuibixuan at linux.alibaba.com>

We should check the allocation size a lot earlier than here.
IOW, such a big size shouldn't have been passed to this function but
it should have been handled as an error in the caller side
(snd_pcm_oss_change_params*()).

Could you give the reproducer?


thanks,

Takashi

> ---
>  sound/core/oss/pcm_plugin.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/sound/core/oss/pcm_plugin.c b/sound/core/oss/pcm_plugin.c
> index 061ba06..61fccb5 100644
> --- a/sound/core/oss/pcm_plugin.c
> +++ b/sound/core/oss/pcm_plugin.c
> @@ -68,6 +68,10 @@ static int snd_pcm_plugin_alloc(struct snd_pcm_plugin *plugin, snd_pcm_uframes_t
>  	size /= 8;
>  	if (plugin->buf_frames < frames) {
>  		kvfree(plugin->buf);
> +
> +		if (size > INT_MAX)
> +			return -ENOMEM;
> +
>  		plugin->buf = kvzalloc(size, GFP_KERNEL);
>  		plugin->buf_frames = frames;
>  	}
> -- 
> 1.8.3.1
> 


More information about the Alsa-devel mailing list