• Richard Fitzgerald's avatar
    ALSA: control: Fix memory corruption risk in snd_ctl_elem_read · 5a23699a
    Richard Fitzgerald authored
    The patch "ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE
    operations" introduced a potential for kernel memory corruption due
    to an incorrect if statement allowing non-readable controls to fall
    through and call the get function. For TLV controls a driver can omit
    SNDRV_CTL_ELEM_ACCESS_READ to ensure that only the TLV get function
    can be called. Instead the normal get() can be invoked unexpectedly
    and as the driver expects that this will only be called for controls
    <= 512 bytes, potentially try to copy >512 bytes into the 512 byte
    return array, so corrupting kernel memory.
    
    The problem is an attempt to refactor the snd_ctl_elem_read function
    to invert the logic so that it conditionally aborted if the control
    is unreadable instead of conditionally executing. But the if statement
    wasn't inverted correctly.
    
    The correct inversion of
    
        if (a && !b)
    
    is
        if (!a || b)
    
    Fixes: becf9e5d ("ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations")
    Signed-off-by: default avatarRichard Fitzgerald <rf@opensource.cirrus.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    5a23699a
control.c 51.1 KB