sound/oss: remove offset from load_patch callbacks
Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of uninitialized value, and signedness issue The offset passed to midi_synth_load_patch() can be essentially arbitrary. If it's greater than the header length, this will result in a copy_from_user(dst, src, negative_val). While this will just return -EFAULT on x86, on other architectures this may cause memory corruption. Additionally, the length field of the sysex_info structure may not be initialized prior to its use. Finally, a signed comparison may result in an unintentionally large loop. On suggestion by Takashi Iwai, version two removes the offset argument from the load_patch callbacks entirely, which also resolves similar issues in opl3. Compile tested only. v3 adjusts comments and hopefully gets copy offsets right. Signed-off-by:Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by:
Takashi Iwai <tiwai@suse.de>
Showing
- sound/oss/dev_table.h 1 addition, 1 deletionsound/oss/dev_table.h
- sound/oss/midi_synth.c 13 additions, 17 deletionssound/oss/midi_synth.c
- sound/oss/midi_synth.h 1 addition, 1 deletionsound/oss/midi_synth.h
- sound/oss/opl3.c 2 additions, 6 deletionssound/oss/opl3.c
- sound/oss/sequencer.c 1 addition, 1 deletionsound/oss/sequencer.c
Loading
Please register or sign in to comment