Exact Kernel version: 2.5.48 Distribution: kernel.org Hardware Environment: unknown Software Environment: Stanford Checker Problem Description: See Thread at: http://marc.theaimsgroup.com/?t=104155440600003&r=1&w=2 [BUG] /u1/acc/linux/2.5.48/sound/oss/sb_mixer.c:238:change_bits: ERROR:BUFFER:238:238:Array bounds error: *devc->iomap[32] indexed with [32] [Callstack: /u1/acc/linux/2.5.48/sound/oss/sb_ess.c:1722:sb_common_mixer_set(_, 32, _, _) -> /u1/acc/linux/2.5.48/sound/oss/sb_mixer.c:282:change_bits(_, _, 32, 0, _)] static void change_bits(sb_devc * devc, unsigned char *regval, int dev, int chn, int newval) { unsigned char mask; int shift; Error ---> mask = (1 << (*devc->iomap)[dev][chn].nbits) - 1; newval = (int) ((newval * mask) + 50) / 100; /* Scale */ shift = (*devc->iomap)[dev][chn].bitoffs - (*devc->iomap)[dev][LEFT_CHN].nbits + 1; Steps to reproduce:
Created attachment 69 [details] simple bounds check
Comment on attachment 69 [details] simple bounds check sorry, wrong bug.
Created attachment 70 [details] bounds checks in sb_mixer.c (bugs 252-254) this should take care of 253 and 254 as well
Does anyone know the status of this bug? Has the patch been verified?
Not sure if this is the right fix or not. It is currently not included in the 2.5.70 code base.
Doesn't appear to be included in 2.6.5-rc2, either.
FWIW, there was some discussion on lkml about it, e.g. http://marc.theaimsgroup.com/?l=linux-kernel&m=104260148409541&w=2. Doesn't appear to have been included, though. I'll try to push it to akpm again.
Created attachment 2373 [details] add iomap_sz and use it to test dev against This patch fixes the issue, taking into account that dev is used to dereference a variable sized array (devc->iomap), by storing the array's length in devc->iomap_sz and checking against that.
patch is now included in akpm's 2.6.5-rc2-mm1.