From c1ea2b3c07c697bcfd40a634fcd0af585cb21574 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Sun, 30 Oct 2016 22:13:19 +0100 Subject: ALSA: info: Return error for invalid read/write commit 6809cd682b82dfff47943850d1a8c714f971b5ca upstream. Currently the ALSA proc handler allows read or write even if the proc file were write-only or read-only. It's mostly harmless, does thing but allocating memory and ignores the input/output. But it doesn't tell user about the invalid use, and it's confusing and inconsistent in comparison with other proc files. This patch adds some sanity checks and let the proc handler returning an -EIO error when the invalid read/write is performed. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/info.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'sound/core/info.c') diff --git a/sound/core/info.c b/sound/core/info.c index 895362a696c9..dbef9edd4871 100644 --- a/sound/core/info.c +++ b/sound/core/info.c @@ -325,6 +325,8 @@ static ssize_t snd_info_text_entry_write(struct file *file, size_t next; int err = 0; + if (!entry->c.text.write) + return -EIO; pos = *offset; if (!valid_pos(pos, count)) return -EIO; @@ -366,7 +368,9 @@ static int snd_info_seq_show(struct seq_file *seq, void *p) struct snd_info_private_data *data = seq->private; struct snd_info_entry *entry = data->entry; - if (entry->c.text.read) { + if (!entry->c.text.read) { + return -EIO; + } else { data->rbuffer->buffer = (char *)seq; /* XXX hack! */ entry->c.text.read(entry, data->rbuffer); } -- cgit v1.2.3 From f3155797b91c28cb0afbb24fe8c914392eeb28f5 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Sun, 30 Oct 2016 22:18:45 +0100 Subject: ALSA: info: Limit the proc text input size commit 027a9fe6835620422b6713892175716f3613dd9d upstream. The ALSA proc handler allows currently the write in the unlimited size until kmalloc() fails. But basically the write is supposed to be only for small inputs, mostly for one line inputs, and we don't have to handle too large sizes at all. Since the kmalloc error results in the kernel warning, it's better to limit the size beforehand. This patch adds the limit of 16kB, which must be large enough for the currently existing code. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/info.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'sound/core/info.c') diff --git a/sound/core/info.c b/sound/core/info.c index dbef9edd4871..8ab72e0f5932 100644 --- a/sound/core/info.c +++ b/sound/core/info.c @@ -331,6 +331,9 @@ static ssize_t snd_info_text_entry_write(struct file *file, if (!valid_pos(pos, count)) return -EIO; next = pos + count; + /* don't handle too large text inputs */ + if (next > 16 * 1024) + return -EIO; mutex_lock(&entry->access); buf = data->wbuffer; if (!buf) { -- cgit v1.2.3