From patchwork Mon Jan 18 13:35:00 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Boichat <drinkcat@chromium.org>
X-Patchwork-Id: 8054791
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id D74FB9F859
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Mon, 18 Jan 2016 13:35:27 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 0D06D20434
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Mon, 18 Jan 2016 13:35:27 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id AD4BA20430
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Mon, 18 Jan 2016 13:35:24 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 84DE7265232; Mon, 18 Jan 2016 14:35:23 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_NONE, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=no version=3.3.1
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id 19BA2261B1E;
	Mon, 18 Jan 2016 14:35:15 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id A3D8A264F2F; Mon, 18 Jan 2016 14:35:13 +0100 (CET)
Received: from mail-pa0-f41.google.com (mail-pa0-f41.google.com
	[209.85.220.41])
	by alsa0.perex.cz (Postfix) with ESMTP id 5FB262605D4
	for <alsa-devel@alsa-project.org>;
	Mon, 18 Jan 2016 14:35:08 +0100 (CET)
Received: by mail-pa0-f41.google.com with SMTP id cy9so434529081pac.0
	for <alsa-devel@alsa-project.org>;
	Mon, 18 Jan 2016 05:35:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google; h=from:to:cc:subject:date:message-id;
	bh=NSVqIPtbXjBgq6N2lmAAbdXDKjzsXr++2hlMjWk5S4w=;
	b=N8RPrBG74fhR7tqSdf5smqb7IYyHDvx+18+BE+i6qye9IQlUrwWJdC2pZ2hMAyh9Bb
	/3UbaFSZH7O+HR/5f+4a5+Q+w4YjfVUOhAYHgDjtFa0ZPL+v+rVf8tAieJPy2Iiv+p6x
	b0KK5ne+uixU3gI4qhyoM1UA+139bsFbaZ3nY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=NSVqIPtbXjBgq6N2lmAAbdXDKjzsXr++2hlMjWk5S4w=;
	b=fGlJc1keVwt3mqZ96VSY2pLdXq+V6Q1fZeSUny6rhkBAFVp9102P9LFjKLZ1mwb257
	S2Zxy5qfNQJFC/rFcb7BuTSvXNeVBLcCKmY2qAHSep1hR7L36OLjRledsbMx8t5iksUS
	nj6MpIGyszP4rNwsNeFgSQj26fBdcaMG6jFVSdUuY3Q4bPX5TXgyXYt/jSm9dB5YYcoZ
	OCAMu+TtzjJmV7ucy7V/jxobviy28aUTWHhH7O3i3+MrCtht54HuqNfxfHrBGWCc81bp
	8hEJQE6IvaXbrDKQ+YIVg6ts/hcLyAxqo6Agxp1Vlt/wHw2FWfKHyTGgwPUQJdAoGzQt
	IPUA==
X-Gm-Message-State: 
 ALoCoQmakPhHiJeolppHnRSn85YX2AOZ6lhIqylZgz6StY3eOKtkCQvu2ZuQvACEZmtgO2ul+K5utxQ9AjYBrmRQu5OkzgeURA==
X-Received: by 10.66.218.103 with SMTP id pf7mr36019715pac.140.1453124107305;
	Mon, 18 Jan 2016 05:35:07 -0800 (PST)
Received: from drinkcat.tpe.corp.google.com ([172.30.210.53])
	by smtp.gmail.com with ESMTPSA id
	a62sm25278416pfj.40.2016.01.18.05.35.05
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 18 Jan 2016 05:35:06 -0800 (PST)
From: Nicolas Boichat <drinkcat@chromium.org>
To: Takashi Iwai <tiwai@suse.com>
Date: Mon, 18 Jan 2016 21:35:00 +0800
Message-Id: <1453124101-3402-1-git-send-email-drinkcat@chromium.org>
X-Mailer: git-send-email 2.6.0.rc2.230.g3dd15c0
Cc: linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
	Nicolas Boichat <drinkcat@chromium.org>,
	Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Subject: [alsa-devel] [PATCH 1/2] ALSA: pcm: Fix snd_pcm_hw_params struct
	copy in compat mode
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

This reverts one hunk of
commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which
replaced a number of kmalloc followed by memcpy with memdup calls.

In this case, we are copying from a struct snd_pcm_hw_params32 to
a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
the 32-bit version, so we need to separate kmalloc and copy calls.

This actually leads to an out-of-bounds memory access later on
in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).

Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
---
 sound/core/pcm_compat.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
index b48b434..9630e9f 100644
--- a/sound/core/pcm_compat.c
+++ b/sound/core/pcm_compat.c
@@ -255,10 +255,15 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream,
 	if (! (runtime = substream->runtime))
 		return -ENOTTY;
 
-	/* only fifo_size is different, so just copy all */
-	data = memdup_user(data32, sizeof(*data32));
-	if (IS_ERR(data))
-		return PTR_ERR(data);
+	data = kmalloc(sizeof(*data), GFP_KERNEL);
+	if (!data)
+		return -ENOMEM;
+
+	/* only fifo_size (RO from userspace) is different, so just copy all */
+	if (copy_from_user(data, data32, sizeof(*data32))) {
+		err = -EFAULT;
+		goto error;
+	}
 
 	if (refine)
 		err = snd_pcm_hw_refine(substream, data);