Diffusion FreeBSD src repository 5830a00c2c54

sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*
5830a00c2c54
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes,
however we currently do not check whether this size is actually valid,
which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an
invalid size. sndstat_add_user_devs() calls
sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size.

PR: 266142
Sponsored by: The FreeBSD Foundation
MFC after: 1 day
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D45236

(cherry picked from commit 074d337ad618f9cc2a1d5ab18b484928e57bd72b)

Details

Provenance

Authored on Mon, May 20, 2:18 PM

Reviewer

Differential Revision

D45236: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

Parents

rGbca6f391aed9: sound: Prevent uninitialized variable destruction in chn_init()

Branches

Unknown

Tags

Unknown

Event Timeline

christos committed rG5830a00c2c54: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS* (authored by christos).Tue, May 21, 5:45 PM

christos added an edge: D45236: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*.Tue, May 21, 5:54 PM

christos mentioned this in rG18f80d6d4634: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*.Wed, May 22, 1:23 PM

Changes (2)

Path

Size

sys/

dev/

sound/

pcm/

sys/

rG5830a00c2c54

sys/dev/sound/pcm/sndstat.c

Loading...

sys/sys/sndstat.h

Loading...