Commit a04dae6f authored by Dan Carpenter's avatar Dan Carpenter Committed by Takashi Iwai

ALSA: silence integer wrapping warning

This patch doesn't change runtime at all, it's just for kernel hardening.

The "count" here comes from the user and on 32bit systems, it leads to
integer wrapping when we pass it to compute_user_elem_size():

	alloc_size = compute_user_elem_size(private_size, count);

However, the integer over is harmless because later "count" is checked
when we pass it to snd_ctl_new():

	err = snd_ctl_new(&kctl, count, access, file);

These days as part of kernel hardening we're trying to avoid integer
overflows when they affect size_t type.  So to avoid the integer overflow
copy the check from snd_ctl_new() and do it at the start of the
snd_ctl_elem_add() function as well.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: default avatarJaroslav Kysela <perex@perex.cz>
Link: https://patch.msgid.link/5457e8c1-01ff-4dd9-b49c-15b817f65ee7@stanley.mountainSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 8a193d8e
...@@ -1641,6 +1641,8 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, ...@@ -1641,6 +1641,8 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
count = info->owner; count = info->owner;
if (count == 0) if (count == 0)
count = 1; count = 1;
if (count > MAX_CONTROL_COUNT)
return -EINVAL;
/* Arrange access permissions if needed. */ /* Arrange access permissions if needed. */
access = info->access; access = info->access;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment