Fwd: Re: [alsa-devel] /proc/asound/card0/oss_mixer stack corruption

Andy Whitcroft apw at canonical.com
Wed Aug 27 10:46:35 UTC 2014 

On Fri, Aug 22, 2014 at 09:13:37AM +0200, David Henningsson wrote:
> Just cross-posting this here because it looks quite severe. (And possibly a
> security issue?)
> 
> We don't have any oss_mixer files AFAIK, but according to the post below, it
> should apply to eld* files too, present for almost every HDMI audio card out
> there.
> So I tried "printf %64s > /proc/asound/card0/eld#0.0" but did not notice
> anything - but maybe this is either because of the stack layout of the
> actual function, or because we configure the kernel without the stack
> checking used here to discover.
> 
> Either way, looks like it should be fixed ASAP.

This appears to be, in Takashi Iwai's tree, looks to be pending on
his for-linus branch, so I expect that to be with him in the next merge
request.  It also is marked for stable, so we should expect to see it
popping into those trees pretty soon after:

  commit ddc64b278a4dda052390b3de1b551e59acdff105
  Author: Clemens Ladisch <clemens at ladisch.de>
  Date:   Thu Aug 21 20:55:21 2014 +0200

    ALSA: core: fix buffer overflow in snd_info_get_line()
    
    snd_info_get_line() documents that its last parameter must be one
    less than the buffer size, but this API design guarantees that
    (literally) every caller gets it wrong.
    
    Just change this parameter to have its obvious meaning.
    
    Reported-by: Tommi Rantala <tt.rantala at gmail.com>
    Cc: <stable at vger.kernel.org> # v2.2.26+
    Signed-off-by: Clemens Ladisch <clemens at ladisch.de>
    Signed-off-by: Takashi Iwai <tiwai at suse.de>

> >--8<---------------------------------------------------------------->8--
> >ALSA: core: fix buffer overflow in snd_info_get_line()
> >
> >snd_info_get_line() documents that its last parameter must be one
> >less than the buffer size, but this API design guarantees that
> >(literally) every caller gets it wrong.
> >
> >Just change this parameter to have its obvious meaning.
> >
> >Reported-by: Tommi Rantala <tt.rantala at gmail.com>
> >Cc: <stable at vger.kernel.org> # v2.2.26+
> >Signed-off-by: Clemens Ladisch <clemens at ladisch.de>

-apw

More information about the kernel-team mailing list