Bug 252 - Possible out of bounds bug in sb_mixer.c from Stanford Checker
Possible out of bounds bug in sb_mixer.c from Stanford Checker
Status: CLOSED CODE_FIX
Product: Drivers
Classification: Unclassified
Component: Sound(OSS)
i386 Linux
: P2 low
Assigned To: Muli Ben-Yehuda
:
Depends on:
Blocks: 253 254
  Show dependency treegraph
 
Reported: 2003-01-03 16:47 UTC by Hanna Linder
Modified: 2004-12-02 06:52 UTC (History)
1 user (show)

See Also:
Kernel Version:
Tree: Mainline
Regression: ---


Attachments
simple bounds check (531 bytes, patch)
2003-01-14 19:16 UTC, pizza
Details | Diff
bounds checks in sb_mixer.c (bugs 252-254) (706 bytes, patch)
2003-01-14 19:36 UTC, pizza
Details | Diff
add iomap_sz and use it to test dev against (3.62 KB, patch)
2004-03-20 14:56 UTC, Muli Ben-Yehuda
Details | Diff

Description Hanna Linder 2003-01-03 16:47:32 UTC
Exact Kernel version: 2.5.48
Distribution: kernel.org
Hardware Environment: unknown
Software Environment: Stanford Checker
Problem Description:
See Thread at: http://marc.theaimsgroup.com/?t=104155440600003&r=1&w=2
[BUG]
/u1/acc/linux/2.5.48/sound/oss/sb_mixer.c:238:change_bits:
ERROR:BUFFER:238:238:Array bounds error: *devc->iomap[32] indexed with [32]
[Callstack: /u1/acc/linux/2.5.48/sound/oss/sb_ess.c:1722:sb_common_mixer_set(_,
32, _, _) -> /u1/acc/linux/2.5.48/sound/oss/sb_mixer.c:282:change_bits(_, _, 32,
0, _)] 
static void change_bits(sb_devc * devc, unsigned char *regval, int dev, int chn,
int newval)
{
	unsigned char mask;
	int shift;


Error --->
	mask = (1 << (*devc->iomap)[dev][chn].nbits) - 1;
	newval = (int) ((newval * mask) + 50) / 100;	/* Scale */

	shift = (*devc->iomap)[dev][chn].bitoffs - (*devc->iomap)[dev][LEFT_CHN].nbits
+ 1;

Steps to reproduce:
Comment 1 pizza 2003-01-14 19:16:49 UTC
Created attachment 69 [details]
simple bounds check
Comment 2 pizza 2003-01-14 19:20:32 UTC
Comment on attachment 69 [details]
simple bounds check

sorry, wrong bug.
Comment 3 pizza 2003-01-14 19:36:54 UTC
Created attachment 70 [details]
bounds checks in sb_mixer.c (bugs 252-254)

this should take care of 253 and 254 as well
Comment 4 Stacy Woods 2003-04-15 06:38:29 UTC
Does anyone know the status of this bug?  Has the patch been verified?  
Comment 5 Hanna Linder 2003-06-11 17:36:04 UTC
Not sure if this is the right fix or not. It is currently not included
in the 2.5.70 code base.
Comment 6 Muli Ben-Yehuda 2004-03-20 13:22:48 UTC
Doesn't appear to be included in 2.6.5-rc2, either. 
Comment 7 Muli Ben-Yehuda 2004-03-20 13:31:46 UTC
FWIW, there was some discussion on lkml about it, e.g.
http://marc.theaimsgroup.com/?l=linux-kernel&m=104260148409541&w=2. Doesn't
appear to have been included, though. I'll try to push it to akpm again. 
Comment 8 Muli Ben-Yehuda 2004-03-20 14:56:54 UTC
Created attachment 2373 [details]
add iomap_sz and use it to test dev against

This patch fixes the issue, taking into account that dev is used to dereference
a variable sized array (devc->iomap), by storing the array's length in
devc->iomap_sz and checking against that.
Comment 9 Muli Ben-Yehuda 2004-03-21 02:13:01 UTC
patch is now included in akpm's 2.6.5-rc2-mm1. 

Note You need to log in before you can comment on or make changes to this bug.