Bug 44721 - Missing NULL check of the return value of snd_ctl_new1() in function snd_ac97_cvol_new()
Summary: Missing NULL check of the return value of snd_ctl_new1() in function snd_ac97...
Status: RESOLVED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: Sound(ALSA) (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Jaroslav Kysela
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-13 12:11 UTC by RUC_Soft_Sec
Modified: 2012-11-08 14:21 UTC (History)
3 users (show)

See Also:
Kernel Version: 2.6.39
Subsystem:
Regression: No
Bisected commit-id:


Attachments

Description RUC_Soft_Sec 2012-07-13 12:11:08 UTC
Function snd_ctl_new1() creates a control instance from the template, and will return the newly generated instance or NULL on failure, thus the return value of snd_ctl_new1() shall be checked against NULL before used. But there is no NULL checking after the call of snd_ctl_new1() in function snd_ac97_cvol_new()(defined at sound/pci/ac97/ac97_codec.c:1267). Related codes are as following. From the source code, we can see snd_ctl_new1() is called at line 1267 and 1272, and there is no checking of their return value.

snd_ac97_cvol_new() @@sound/pci/ac97/ac97_codec.c:1263
1263        if (hi_max) {
1264                /* invert */
1265                struct snd_kcontrol_new tmp = AC97_DOUBLE(name, reg, 8, 0, lo_max, 1);
1266                tmp.index = ac97->num;
1267                kctl = snd_ctl_new1(&tmp, ac97);
1268        } else {
1269                /* invert */
1270                struct snd_kcontrol_new tmp = AC97_SINGLE(name, reg, 0, lo_max, 1);
1271                tmp.index = ac97->num;
1272                kctl = snd_ctl_new1(&tmp, ac97);
1273        }
1274        if (reg >= AC97_PHONE && reg <= AC97_PCM)
1275                set_tlv_db_scale(kctl, db_scale_5bit_12db_max);
1276        else
1277                set_tlv_db_scale(kctl, find_db_scale(lo_max));
1278        err = snd_ctl_add(card, kctl);
Comment 1 Florian Mickler 2012-10-23 20:56:55 UTC
A patch referencing this bug report has been merged in Linux v3.7-rc2:

commit 733a48e5ae5bf28b046fad984d458c747cbb8c21
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Oct 11 16:43:40 2012 +0200

    ALSA: ac97 - Fix missing NULL check in snd_ac97_cvol_new()

Note You need to log in before you can comment on or make changes to this bug.