Bug 252

Summary:	Possible out of bounds bug in sb_mixer.c from Stanford Checker
Product:	Drivers	Reporter:	Hanna Linder (hannal)
Component:	Sound(OSS)	Assignee:	Muli Ben-Yehuda (mulix)
Status:	CLOSED CODE_FIX
Severity:	low	CC:	mulix
Priority:	P2
Hardware:	i386
OS:	Linux
Kernel Version:		Subsystem:
Regression:	---	Bisected commit-id:
Bug Depends on:
Bug Blocks:	253, 254
Attachments:	simple bounds check bounds checks in sb_mixer.c (bugs 252-254) add iomap_sz and use it to test dev against

Description Hanna Linder 2003-01-03 16:47:32 UTC

Exact Kernel version: 2.5.48
Distribution: kernel.org
Hardware Environment: unknown
Software Environment: Stanford Checker
Problem Description:
See Thread at: http://marc.theaimsgroup.com/?t=104155440600003&r=1&w=2
[BUG]
/u1/acc/linux/2.5.48/sound/oss/sb_mixer.c:238:change_bits:
ERROR:BUFFER:238:238:Array bounds error: *devc->iomap[32] indexed with [32]
[Callstack: /u1/acc/linux/2.5.48/sound/oss/sb_ess.c:1722:sb_common_mixer_set(_,
32, _, _) -> /u1/acc/linux/2.5.48/sound/oss/sb_mixer.c:282:change_bits(_, _, 32,
0, _)] 
static void change_bits(sb_devc * devc, unsigned char *regval, int dev, int chn,
int newval)
{
	unsigned char mask;
	int shift;


Error --->
	mask = (1 << (*devc->iomap)[dev][chn].nbits) - 1;
	newval = (int) ((newval * mask) + 50) / 100;	/* Scale */

	shift = (*devc->iomap)[dev][chn].bitoffs - (*devc->iomap)[dev][LEFT_CHN].nbits
+ 1;

Steps to reproduce:

Comment 1 pizza 2003-01-14 19:16:49 UTC

Created attachment 69 [details]
simple bounds check

Comment 2 pizza 2003-01-14 19:20:32 UTC

Comment on attachment 69 [details]
simple bounds check

sorry, wrong bug.

Comment 3 pizza 2003-01-14 19:36:54 UTC

Created attachment 70 [details]
bounds checks in sb_mixer.c (bugs 252-254)

this should take care of 253 and 254 as well

Comment 4 Stacy Woods 2003-04-15 06:38:29 UTC

Does anyone know the status of this bug?  Has the patch been verified?

Comment 5 Hanna Linder 2003-06-11 17:36:04 UTC

Not sure if this is the right fix or not. It is currently not included
in the 2.5.70 code base.

Comment 6 Muli Ben-Yehuda 2004-03-20 13:22:48 UTC

Doesn't appear to be included in 2.6.5-rc2, either.

Comment 7 Muli Ben-Yehuda 2004-03-20 13:31:46 UTC

FWIW, there was some discussion on lkml about it, e.g.
http://marc.theaimsgroup.com/?l=linux-kernel&m=104260148409541&w=2. Doesn't
appear to have been included, though. I'll try to push it to akpm again.

Comment 8 Muli Ben-Yehuda 2004-03-20 14:56:54 UTC

Created attachment 2373 [details]
add iomap_sz and use it to test dev against

This patch fixes the issue, taking into account that dev is used to dereference
a variable sized array (devc->iomap), by storing the array's length in
devc->iomap_sz and checking against that.

Comment 9 Muli Ben-Yehuda 2004-03-21 02:13:01 UTC

patch is now included in akpm's 2.6.5-rc2-mm1.