Bug 44541 - Missing check of the return value of snd_pcm_create() in function lx_pcm_create()
Summary: Missing check of the return value of snd_pcm_create() in function lx_pcm_crea...
Status: RESOLVED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: Sound(ALSA) (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Takashi Iwai
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-12 13:57 UTC by RUC_Soft_Sec
Modified: 2012-08-26 10:48 UTC (History)
4 users (show)

See Also:
Kernel Version: 2.6.39
Tree: Mainline
Regression: No


Attachments

Description RUC_Soft_Sec 2012-07-12 13:57:51 UTC
Function snd_pcm_create() will return a negative number when it fails to create a new PCM instance, thus its return value shall be checked before further manipulations of the created PCM. But in function lx_pcm_create(), at sound/pci/lx6464es/lx6464es.c:839, there is no checking of the return value of lx_pcm_create() at line 853, which may trigger an invalid memmory access error when dereferencing variable pcm at line 856.
The related codes in lx_pcm_create() are as following.
lx_pcm_create @@sound/pci/lx6464es/lx6464es.c:853
 853        err = snd_pcm_new(chip->card, (char *)card_name, 0,
 854                          1, 1, &pcm);
 855
 856        pcm->private_data = chip;

Generally, the return value of snd_pcm_create() shall be checked to make sure that the PCM instance is create successfully. Like the following codes from the same device driver.
snd_azf3328_pcm @@sound/pci/azt3328.c:2225
2225        err = snd_pcm_new(chip->card, "AZF3328 DSP", AZF_PCMDEV_STD,
2226                                                                1, 1, &pcm);
2227        if (err < 0)
2228                return err;
2229        snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK,
2230                                                &snd_azf3328_playback_ops);


Thank you

RUC_Soft_Sec
Comment 1 RUC_Soft_Sec 2012-08-14 13:37:41 UTC
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive.

Thank you

RUC_Soft_Sec
Comment 2 Bjorn Helgaas 2012-08-14 15:27:30 UTC
This does look like a bug in the lx6464es.c sound driver.  If you'd like to fix it, you can try sending a patch to Jaroslav Kysela <perex@perex.cz> and Takashi Iwai <tiwai@suse.de> (maintainers of the sound system).
Comment 3 Takashi Iwai 2012-08-14 15:44:02 UTC
Yes, it looks like a real bug.  I fixed now in sound git tree.

Thanks.
Comment 4 Florian Mickler 2012-08-26 10:48:38 UTC
A patch referencing this bug report has been merged in Linux v3.6-rc3:

commit 3bdcff70b6cd049e6f4437b955850f5db83653cc
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Aug 14 17:42:11 2012 +0200

    ALSA: lx6464es: Add a missing error check

Note You need to log in before you can comment on or make changes to this bug.