Re: [PATCH] ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
From: Takashi Iwai
Date: Mon Jan 18 2016 - 08:19:04 EST
On Mon, 18 Jan 2016 14:00:19 +0100,
Nicolas Boichat wrote:
> On Mon, Jan 18, 2016 at 2:37 PM, Takashi Iwai <tiwai@xxxxxxx> wrote:
> > On Mon, 18 Jan 2016 04:49:18 +0100,
> > Nicolas Boichat wrote:
> >> Running a kernel with KASan enabled, we spotted that the following
> >> read in sound/soc/soc-pcm.c:soc_pcm_hw_params() is out of bounds:
> >> /* copy params for each codec */
> >> codec_params = *params;
> >> The problem comes from sound/core/pcm_compat.c,
> >> snd_pcm_ioctl_hw_params_compat, where we're copying from a
> >> struct snd_pcm_hw_params to a struct snd_pcm_hw_params32:
> >> /* only fifo_size is different, so just copy all */
> >> data = memdup_user(data32, sizeof(*data32));
> >> It turns out that snd_pcm_hw_params is 4 bytes longer than
> >> snd_pcm_hw_params32, that's why an out-of-bounds read happens.
> >> We separate kmalloc and memory copy operations to make sure
> >> data has the correct length.
> >> Signed-off-by: Nicolas Boichat <drinkcat@xxxxxxxxxxxx>
> > Thanks for reporting. This is indeed effectively a revert of the
> > commit ef44a1ec6eee ('ALSA: sound/core: use memdup_user()'), which is
> > obviously wrong. Sigh, it's a really danger of such a "cleanup"
> > patch.
> Oh, well spotted!
> > Could you rephrase the changelog mentioning the affecting commit and
> > resubmit?
> Sure. Looking at that commit, there is another suspicious memdup_user
> in sound/seq/seq_compat.c (similar issue: struct snd_seq_port_info32
> is 4 bytes shorter than struct snd_seq_port_info). I'll revert that
> one as well.
Good catch. I'm looking forward to seeing newer patches!