From patchwork Fri May 29 08:58:56 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Sakamoto <o-takashi@sakamocchi.jp>
X-Patchwork-Id: 6505671
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 6873FC0020
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Fri, 29 May 2015 09:00:20 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 773072077C
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Fri, 29 May 2015 09:00:19 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id 1E3CC20770
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Fri, 29 May 2015 09:00:18 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 12F3C26663A; Fri, 29 May 2015 11:00:17 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
Received: from alsa0.perex.cz (localhost [IPv6:::1])
	by alsa0.perex.cz (Postfix) with ESMTP id E7FB92606F7;
	Fri, 29 May 2015 10:59:15 +0200 (CEST)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id F028926068A; Fri, 29 May 2015 10:59:13 +0200 (CEST)
Received: from smtp301.phy.lolipop.jp (smtp301.phy.lolipop.jp
	[210.157.22.84])
	by alsa0.perex.cz (Postfix) with ESMTP id A798F2604BE;
	Fri, 29 May 2015 10:59:03 +0200 (CEST)
Received: from smtp301.phy.lolipop.lan (HELO smtp301.phy.lolipop.jp)
	(172.17.1.84)
	(smtp-auth username m12129643-o-takashi, mechanism plain)
	by smtp301.phy.lolipop.jp (qpsmtpd/0.82) with ESMTPA;
	Fri, 29 May 2015 17:59:01 +0900
Received: from 127.0.0.1 (127.0.0.1)
	by smtp301.phy.lolipop.jp (LOLIPOP-Fsecure);
	Fri, 29 May 2015 17:58:57 +0900 (JST)
X-Virus-Status: clean(LOLIPOP-Fsecure)
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: tiwai@alsa-project.org,
	perex@perex.cz
Date: Fri, 29 May 2015 17:58:56 +0900
Message-Id: <1432889937-15413-2-git-send-email-o-takashi@sakamocchi.jp>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1432889937-15413-1-git-send-email-o-takashi@sakamocchi.jp>
References: <1432889937-15413-1-git-send-email-o-takashi@sakamocchi.jp>
Cc: alsa-devel@alsa-project.org
Subject: [alsa-devel] [PATCH 1/2] ALSA: control: add dimension validator for
	userspace element
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

The 'dimen' field in struct snd_ctl_elem_info is used to compose
all of channels in the control element as multi-dimensional matrix.
The field has four members. Each member represents the number in
each dimension level. For example, if the channels consist of typical
two dimensional matrix, the dimen[0] represents the number of rows
and dimen[1] represents the number of columns, or vise-versa.

The total elements in the matrix should be within the number of
channels in the control element, while current implementation has
no validator of this information. In a view of userspace applications,
the information must be valid so that it cannot cause any bugs such as
buffer-over-run.

This commit adds a validator of dimen information for userspace
applications which add new control elements. When they add the elements
with wrong dimen information, they receive EINVAL.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
---
 sound/core/control.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/sound/core/control.c b/sound/core/control.c
index 196a6fe..9b77afd 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -805,6 +805,25 @@ static int snd_ctl_elem_list(struct snd_card *card,
 	return 0;
 }
 
+static bool validate_dimen(struct snd_ctl_elem_info *info)
+{
+	unsigned int elements;
+	unsigned int i;
+
+	/*
+	 * When drivers don't use dimen field, this value is zero and pass the
+	 * validation. Else, calculated number of elements is validated.
+	 */
+	elements = info->dimen.d[0];
+	for (i = 1; i < ARRAY_SIZE(info->dimen.d); ++i) {
+		if (info->dimen.d[i] == 0)
+			break;
+		elements *= info->dimen.d[i];
+	}
+
+	return elements <= info->count;
+}
+
 static int snd_ctl_elem_info(struct snd_ctl_file *ctl,
 			     struct snd_ctl_elem_info *info)
 {
@@ -1272,6 +1291,8 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
 	if (info->count < 1 ||
 	    info->count > max_value_counts[info->type])
 		return -EINVAL;
+	if (!validate_dimen(info))
+		return -EINVAL;
 	private_size = value_sizes[info->type] * info->count;
 
 	/*