review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Wed, 4 Dec 2019 14:48:24 +0000 (15:48 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 13 Dec 2019 07:42:38 +0000 (08:42 +0100)
commit	d2d135cba85ba02da07f43b1f1d7d9fb3937a8f2
tree	8cb270de032d304f36ba7cca159dd75df0ac435c	tree \| snapshot
parent	b8cc281681ed99ca86dd883fd1461bb90d95ce9b	commit \| diff

ALSA: pcm: oss: Avoid potential buffer overflows

commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream.

syzkaller reported an invalid access in PCM OSS read, and this seems
to be an overflow of the internal buffer allocated for a plugin.
Since the rate plugin adjusts its transfer size dynamically, the
calculation for the chained plugin might be bigger than the given
buffer size in some extreme cases, which lead to such an buffer
overflow as caught by KASAN.

Fix it by limiting the max transfer size properly by checking against
the destination size in each plugin transfer callback.

Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

sound/core/oss/linear.c		diff \| blob \| history
sound/core/oss/mulaw.c		diff \| blob \| history
sound/core/oss/route.c		diff \| blob \| history