• Takashi Iwai's avatar
    ALSA: oss: Fix PCM OSS buffer allocation overflow · efb6402c
    Takashi Iwai authored
    We've got syzbot reports hitting INT_MAX overflow at vmalloc()
    allocation that is called from snd_pcm_plug_alloc().  Although we
    apply the restrictions to input parameters, it's based only on the
    hw_params of the underlying PCM device.  Since the PCM OSS layer
    allocates a temporary buffer for the data conversion, the size may
    become unexpectedly large when more channels or higher rates is given;
    in the reported case, it went over INT_MAX, hence it hits WARN_ON().
    
    This patch is an attempt to avoid such an overflow and an allocation
    for too large buffers.  First off, it adds the limit of 1MB as the
    upper bound for period bytes.  This must be large enough for all use
    cases, and we really don't want to handle a larger temporary buffer
    than this size.  The size check is performed at two places, where the
    original period bytes is calculated and where the plugin buffer size
    is calculated.
    
    In addition, the driver uses array_size() and array3_size() for
    multiplications to catch overflows for the converted period size and
    buffer bytes.
    
    Reported-by: syzbot+72732c532ac1454eeee9@syzkaller.appspotmail.com
    Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/00000000000085b1b305da5a66f3@google.com
    Link: https://lore.kernel.org/r/20220318082036.29699-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    efb6402c
pcm_oss.c 87 KB