Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.168 2024-09-12T09:10:19+00:00 2024-09-12T09:10:19+00:00 Takashi Iwai tiwai@suse.de 2024-06-16T07:34:44+00:00 urn:sha1:c0939f9479273a8aa729f0c96d6c1f34967d1176 [ Upstream commit 50ed081284fe2bfd1f25e8b92f4f6a4990e73c0a ] Although we have already a mechanism for sanity checks of input values for control writes, it's not applied unless the kconfig CONFIG_SND_CTL_INPUT_VALIDATION is set due to the performance reason. Nevertheless, it still makes sense to apply the same check for user elements despite of its cost, as that's the only way to filter out the invalid values; the user controls are handled solely in ALSA core code, and there is no corresponding driver, after all. This patch adds the same input value validation for user control elements at its put callback. The kselftest will be happier with this change, as the incorrect values will be bailed out now with errors. For other normal controls, the check is applied still only when CONFIG_SND_CTL_INPUT_VALIDATION is set. Reported-by: Paul Menzel <pmenzel@molgen.mpg.de> Closes: https://lore.kernel.org/r/1d44be36-9bb9-4d82-8953-5ae2a4f09405@molgen.mpg.de Reviewed-by: Jaroslav Kysela <perex@perex.cz> Reviewed-by: Mark Brown <broonie@kernel.org> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/20240616073454.16512-4-tiwai@suse.de Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-01-14T09:33:44+00:00 Clement Lecigne clecigne@google.com 2023-01-13T12:07:45+00:00 urn:sha1:d6ad4bd1d896ae1daffd7628cd50f124280fb8b1 commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e upstream. Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce snd_ctl_notify_one() helper"). Doing this way we are also fixing the following locking issue happening in the compat path which can be easily triggered and turned into an use-after-free. 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits: snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Cc: stable@kernel.org # 5.13+ Signed-off-by: Clement Lecigne <clecigne@google.com> Reviewed-by: Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-10-21T06:17:08+00:00 Maciej S. Szmigiero maciej.szmigiero@oracle.com 2022-10-20T20:46:21+00:00 urn:sha1:966f015fe4329199cc49084ee2886cfb626b34d3 Add a snd_ctl_rename() function that takes care of updating the control hash entries for callers that already have the relevant struct snd_kcontrol at hand and hold the control write lock (or simply haven't registered the card yet). Fixes: c27e1efb61c5 ("ALSA: control: Use xarray for faster lookups") Cc: stable@vger.kernel.org Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com> Link: https://lore.kernel.org/r/4170b71117ea81357a4f7eb8410f7cde20836c70.1666296963.git.maciej.szmigiero@oracle.com Signed-off-by: Takashi Iwai <tiwai@suse.de> 2022-08-26T15:17:22+00:00 Dan Carpenter dan.carpenter@oracle.com 2022-08-26T15:01:10+00:00 urn:sha1:5934d9a0383619c14df91af8fd76261dc3de2f5f These two checks are in the reverse order so it might read one element beyond the end of the array. First check if the "i" is within bounds before using it. Fixes: 6ab55ec0a938 ("ALSA: control: Fix an out-of-bounds bug in get_ctl_id_hash()") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/YwjgNh/gkG1hH7po@kili Signed-off-by: Takashi Iwai <tiwai@suse.de> 2022-08-24T09:41:53+00:00 Zheyu Ma zheyuma97@gmail.com 2022-08-24T08:16:54+00:00 urn:sha1:6ab55ec0a938c7f943a4edba3d6514f775983887 Since the user can control the arguments provided to the kernel by the ioctl() system call, an out-of-bounds bug occurs when the 'id->name' provided by the user does not end with '\0'. The following log can reveal it: [ 10.002313] BUG: KASAN: stack-out-of-bounds in snd_ctl_find_id+0x36c/0x3a0 [ 10.002895] Read of size 1 at addr ffff888109f5fe28 by task snd/439 [ 10.004934] Call Trace: [ 10.007140] snd_ctl_find_id+0x36c/0x3a0 [ 10.007489] snd_ctl_ioctl+0x6cf/0x10e0 Fix this by checking the bound of 'id->name' in the loop. Fixes: c27e1efb61c5 ("ALSA: control: Use xarray for faster lookups") Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> Link: https://lore.kernel.org/r/20220824081654.3767739-1-zheyuma97@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> 2022-07-29T10:57:12+00:00 Takashi Iwai tiwai@suse.de 2022-07-28T12:59:45+00:00 urn:sha1:4a971e84a7ae10a38d875cd2d4e487c8d1682ca3 For avoiding the potential deadlock via kill_fasync() call, use the new fasync helpers to defer the invocation from the control API. Note that it's merely a workaround. Another note: although we haven't received reports about the deadlock with the control API, the deadlock is still potentially possible, and it's better to align the behavior with other core APIs (PCM and timer); so let's move altogether. Link: https://lore.kernel.org/r/20220728125945.29533-5-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2022-07-13T11:42:37+00:00 Takashi Iwai tiwai@suse.de 2022-07-13T10:47:57+00:00 urn:sha1:e8406ebc37d2efb7e473e469152f977235a742e1 Each kernel doc comment expects the definition of the return value in proper format. This patch adds or fixes the missing entries for control API. Link: https://lore.kernel.org/r/20220713104759.4365-6-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2022-06-15T05:45:28+00:00 Takashi Iwai tiwai@suse.de 2022-06-09T12:02:19+00:00 urn:sha1:f5e829f92a494a0b66d309497bab4e9d10d4ce3e This patch adds a new feature to enable the validation of input data to control elements in the ALSA core side. When CONFIG_SND_CTL_INPUT_VALIDATION is set, ALSA core verifies whether the each input value via control API is in the defined ranges, also checks whether it's aligned to the defined steps. If an invalid value is detected, ALSA core returns -EINVAL error immediately without passing further to the driver's callback. So this is a kind of hardening for (badly written) drivers that have no proper error checks, at the cost of a slight performance overhead. Technically seen, this reuses a part of the existing validation code for CONFIG_SND_CTL_DEBUG case with a slight modification to suppress error prints for the input validation. Link: https://lore.kernel.org/r/20220609120219.3937-5-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2022-06-15T05:45:28+00:00 Takashi Iwai tiwai@suse.de 2022-06-09T12:02:18+00:00 urn:sha1:4e54316ad2485dedf8570fc2afa6fa6ce32db207 Compilers should be smart enough to optimize out the dead functions, so we don't need to define ugly dummy functions with ifdef. Link: https://lore.kernel.org/r/20220609120219.3937-4-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2022-06-15T05:45:27+00:00 Takashi Iwai tiwai@suse.de 2022-06-09T12:02:17+00:00 urn:sha1:1b7ec5143c34f167266fa21245d99bacb4db4aa6 The purpose of CONFIG_SND_CTL_VALIDATION is rather to enable the debugging feature for the control API. The validation is only a part of it. Let's rename it to be more explicit and intuitive. While we're at it, let's advertise, give more comment to recommend this feature for development in the kconfig help text. Link: https://lore.kernel.org/r/20220609120219.3937-3-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>