[PATCH] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
Takashi Iwai
tiwai at suse.de
Wed Sep 7 07:59:26 CEST 2022
On Wed, 07 Sep 2022 03:18:00 +0200,
Tasos Sahanidis wrote:
>
> The voice allocator sometimes begins allocating from near the end of the
> array and then wraps around, however snd_emu10k1_pcm_channel_alloc()
> accesses the newly allocated voices as if it never wrapped around.
>
> This results in out of bounds access if the first voice has a high enough
> index so that first_voice + requested_voice_count > NUM_G (64).
> The more voices are requested, the more likely it is for this to occur.
>
> This was initially discovered using PipeWire, however it can be reproduced
> by calling aplay multiple times with 16 channels:
> aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero
>
> UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40
> index 65 is out of range for type 'snd_emu10k1_voice [64]'
> CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7
> Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010
> Call Trace:
> <TASK>
> dump_stack_lvl+0x49/0x63
> dump_stack+0x10/0x16
> ubsan_epilogue+0x9/0x3f
> __ubsan_handle_out_of_bounds.cold+0x44/0x49
> snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]
> snd_pcm_hw_params+0x29f/0x600 [snd_pcm]
> snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]
> ? exit_to_user_mode_prepare+0x35/0x170
> ? do_syscall_64+0x69/0x90
> ? syscall_exit_to_user_mode+0x26/0x50
> ? do_syscall_64+0x69/0x90
> ? exit_to_user_mode_prepare+0x35/0x170
> snd_pcm_ioctl+0x27/0x40 [snd_pcm]
> __x64_sys_ioctl+0x95/0xd0
> do_syscall_64+0x5c/0x90
> ? do_syscall_64+0x69/0x90
> ? do_syscall_64+0x69/0x90
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Signed-off-by: Tasos Sahanidis <tasos at tasossah.com>
Oh it's an old bug...
Now applied. Thanks!
Takashi
More information about the Alsa-devel
mailing list