1. 15 7月, 2014 1 次提交
  2. 18 6月, 2014 5 次提交
    • L
      ALSA: control: Make sure that id->index does not overflow · 883a1d49
      Lars-Peter Clausen 提交于
      The ALSA control code expects that the range of assigned indices to a control is
      continuous and does not overflow. Currently there are no checks to enforce this.
      If a control with a overflowing index range is created that control becomes
      effectively inaccessible and unremovable since snd_ctl_find_id() will not be
      able to find it. This patch adds a check that makes sure that controls with a
      overflowing index range can not be created.
      Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
      Acked-by: NJaroslav Kysela <perex@perex.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      883a1d49
    • L
      ALSA: control: Handle numid overflow · ac902c11
      Lars-Peter Clausen 提交于
      Each control gets automatically assigned its numids when the control is created.
      The allocation is done by incrementing the numid by the amount of allocated
      numids per allocation. This means that excessive creation and destruction of
      controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
      eventually overflow. Currently when this happens for the control that caused the
      overflow kctl->id.numid + kctl->count will also over flow causing it to be
      smaller than kctl->id.numid. Most of the code assumes that this is something
      that can not happen, so we need to make sure that it won't happen
      Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
      Acked-by: NJaroslav Kysela <perex@perex.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      ac902c11
    • L
      ALSA: control: Don't access controls outside of protected regions · fd9f26e4
      Lars-Peter Clausen 提交于
      A control that is visible on the card->controls list can be freed at any time.
      This means we must not access any of its memory while not holding the
      controls_rw_lock. Otherwise we risk a use after free access.
      Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
      Acked-by: NJaroslav Kysela <perex@perex.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      fd9f26e4
    • L
      ALSA: control: Fix replacing user controls · 82262a46
      Lars-Peter Clausen 提交于
      There are two issues with the current implementation for replacing user
      controls. The first is that the code does not check if the control is actually a
      user control and neither does it check if the control is owned by the process
      that tries to remove it. That allows userspace applications to remove arbitrary
      controls, which can cause a user after free if a for example a driver does not
      expect a control to be removed from under its feed.
      
      The second issue is that on one hand when a control is replaced the
      user_ctl_count limit is not checked and on the other hand the user_ctl_count is
      increased (even though the number of user controls does not change). This allows
      userspace, once the user_ctl_count limit as been reached, to repeatedly replace
      a control until user_ctl_count overflows. Once that happens new controls can be
      added effectively bypassing the user_ctl_count limit.
      
      Both issues can be fixed by instead of open-coding the removal of the control
      that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
      proper permission checks as well as decrements user_ctl_count after the control
      has been removed.
      
      Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
      beginning of the function if the control already exists is removed. This is not
      a problem though since the check is quite useless, because the lock that is
      protecting the control list is released between the check and before adding the
      new control to the list, which means that it is possible that a different
      control with the same settings is added to the list after the check. Luckily
      there is another check that is done while holding the lock in snd_ctl_add(), so
      we'll rely on that to make sure that the same control is not added twice.
      Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
      Acked-by: NJaroslav Kysela <perex@perex.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      82262a46
    • L
      ALSA: control: Protect user controls against concurrent access · 07f4d9d7
      Lars-Peter Clausen 提交于
      The user-control put and get handlers as well as the tlv do not protect against
      concurrent access from multiple threads. Since the state of the control is not
      updated atomically it is possible that either two write operations or a write
      and a read operation race against each other. Both can lead to arbitrary memory
      disclosure. This patch introduces a new lock that protects user-controls from
      concurrent access. Since applications typically access controls sequentially
      than in parallel a single lock per card should be fine.
      Signed-off-by: NLars-Peter Clausen <lars@metafoo.de>
      Acked-by: NJaroslav Kysela <perex@perex.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      07f4d9d7
  3. 14 2月, 2014 1 次提交
  4. 10 2月, 2014 1 次提交
    • T
      ALSA: Replace with IS_ENABLED() · 8eeaa2f9
      Takashi Iwai 提交于
      Replace the lengthy #if defined(XXX) || defined(XXX_MODULE) with the
      new IS_ENABLED() macro.
      
      The patch still doesn't cover all ifdefs.  For example, the dependency
      on CONFIG_GAMEPORT is still open-coded because this also has an extra
      dependency on MODULE.  Similarly, an open-coded ifdef in pcm_oss.c and
      some sequencer-related stuff are left untouched.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      8eeaa2f9
  5. 12 3月, 2013 1 次提交
  6. 30 10月, 2012 2 次提交
  7. 07 9月, 2012 1 次提交
  8. 13 3月, 2012 1 次提交
  9. 06 11月, 2011 1 次提交
  10. 01 11月, 2011 1 次提交
  11. 09 10月, 2011 1 次提交
  12. 24 8月, 2011 2 次提交
  13. 26 5月, 2011 1 次提交
  14. 22 3月, 2011 1 次提交
  15. 11 3月, 2011 1 次提交
  16. 08 3月, 2011 2 次提交
    • C
      ALSA: control: clean up snd_ctl_hole_check() · 0e82e5fa
      Clemens Ladisch 提交于
      The return value of snd_ctl_hole_check() is used only to detect whether
      to continue the loop in snd_ctl_find_hole() or not, so we can simplify
      the code by changing this return type to a boolean.  Also rename this
      function to better show what it actually does.
      Signed-off-by: NClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      0e82e5fa
    • C
      ALSA: control: fix numid conflict check for new controls · 7c733587
      Clemens Ladisch 提交于
      The purpose of the snd_ctl_hole_check() function is to find conflicts
      between the numerical IDs of the new control and those of any existing
      controls.  However, it would fail to detect an existing control whose
      count is smaller than the new control's count and whose interval of IDs
      is entirely contained in the interval of the new control's IDs.
      
      To fix this, use the correct formula to detect overlapping intervals,
      which happens to simplify the condition.
      
      This problem was not encountered so far because ALSA does not yet allow
      drivers to allocate specific control IDs.
      Signed-off-by: NClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      7c733587
  17. 10 1月, 2011 1 次提交
  18. 29 9月, 2010 1 次提交
    • D
      ALSA: prevent heap corruption in snd_ctl_new() · 5591bf07
      Dan Rosenberg 提交于
      The snd_ctl_new() function in sound/core/control.c allocates space for a
      snd_kcontrol struct by performing arithmetic operations on a
      user-provided size without checking for integer overflow.  If a user
      provides a large enough size, an overflow will occur, the allocated
      chunk will be too small, and a second user-influenced value will be
      written repeatedly past the bounds of this chunk.  This code is
      reachable by unprivileged users who have permission to open
      a /dev/snd/controlC* device (on many distros, this is group "audio") via
      the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
      Signed-off-by: NDan Rosenberg <drosenberg@vsecurity.com>
      Cc: <stable@kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      5591bf07
  19. 13 4月, 2010 1 次提交
    • T
      ALSA: core - Define llseek fops · 02f4865f
      Takashi Iwai 提交于
      Set no_llseek to llseek file ops of each sound component (but for hwdep).
      This avoids the implicit BKL invocation via generic_file_llseek() used
      as default when fops.llseek is NULL.
      
      Also call nonseekable_open() at each open ops to ensure the file flags
      have no seek bit.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      02f4865f
  20. 01 2月, 2010 2 次提交
  21. 18 11月, 2009 1 次提交
  22. 06 11月, 2009 2 次提交
  23. 17 8月, 2009 4 次提交
  24. 14 4月, 2009 1 次提交
  25. 16 3月, 2009 1 次提交
    • J
      Rationalize fasync return values · 60aa4924
      Jonathan Corbet 提交于
      Most fasync implementations do something like:
      
           return fasync_helper(...);
      
      But fasync_helper() will return a positive value at times - a feature used
      in at least one place.  Thus, a number of other drivers do:
      
           err = fasync_helper(...);
           if (err < 0)
                   return err;
           return 0;
      
      In the interests of consistency and more concise code, it makes sense to
      map positive return values onto zero where ->fasync() is called.
      
      Cc: Al Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: NJonathan Corbet <corbet@lwn.net>
      60aa4924
  26. 02 11月, 2008 1 次提交
    • A
      saner FASYNC handling on file close · 233e70f4
      Al Viro 提交于
      As it is, all instances of ->release() for files that have ->fasync()
      need to remember to evict file from fasync lists; forgetting that
      creates a hole and we actually have a bunch that *does* forget.
      
      So let's keep our lives simple - let __fput() check FASYNC in
      file->f_flags and call ->fasync() there if it's been set.  And lose that
      crap in ->release() instances - leaving it there is still valid, but we
      don't have to bother anymore.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      233e70f4
  27. 29 10月, 2008 1 次提交
  28. 09 9月, 2008 1 次提交