linux-sg2042/sound/core
Takashi Iwai 228af5a4fa ALSA: pcm: Workaround for a wrong offset in SYNC_PTR compat ioctl
Michael Forney reported an incorrect padding type that was defined in
the commit 80fe7430c7 ("ALSA: add new 32-bit layout for
snd_pcm_mmap_status/control") for PCM control mmap data.
His analysis is correct, and this caused the misplacements of PCM
control data on 32bit arch and 32bit compat mode.

The bug is that the __pad2 definition in __snd_pcm_mmap_control64
struct was wrongly with __pad_before_uframe, which should have been
__pad_after_uframe instead.  This struct is used in SYNC_PTR ioctl and
control mmap.  Basically this bug leads to two problems:

- The offset of avail_min field becomes wrong, it's placed right after
  appl_ptr without padding on little-endian

- When appl_ptr and avail_min are read as 64bit values in kernel side,
  the values become either zero or corrupted (mixed up)

One good news is that, because both user-space and kernel
misunderstand the wrong offset, at least, 32bit application running on
32bit kernel works as is.  Also, 64bit applications are unaffected
because the padding size is zero.  The remaining problem is the 32bit
compat mode; as mentioned in the above, avail_min is placed right
after appl_ptr on little-endian archs, 64bit kernel reads bogus values
for appl_ptr updates, which may lead to streaming bugs like jumping,
XRUN or whatever unexpected.
(However, we haven't heard any serious bug reports due to this over
years, so practically seen, it's fairly safe to assume that the impact
by this bug is limited.)

Ideally speaking, we should correct the wrong mmap status control
definition.  But this would cause again incompatibility with the
existing binaries, and fixing it (e.g. by renumbering ioctls) would be
really messy.

So, as of this patch, we only correct the behavior of 32bit compat
mode and keep the rest as is.  Namely, the SYNC_PTR ioctl is now
handled differently in compat mode to read/write the 32bit values at
the right offsets.  The control mmap of 32bit apps on 64bit kernels
has been already disabled (which is likely rather an overlook, but
this worked fine at this time :), so covering SYNC_PTR ioctl should
suffice as a fallback.

Fixes: 80fe7430c7 ("ALSA: add new 32-bit layout for snd_pcm_mmap_status/control")
Reported-by: Michael Forney <mforney@mforney.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Cc: <stable@vger.kernel.org>
Cc: Rich Felker <dalias@libc.org>
Link: https://lore.kernel.org/r/29QBMJU8DE71E.2YZSH8IHT5HMH@mforney.org
Link: https://lore.kernel.org/r/20211010075546.23220-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2021-10-11 18:10:47 +02:00
..
oss ALSA: oss: Fix assignment in if condition 2021-06-09 17:30:25 +02:00
seq Merge branch 'for-linus' into for-next 2021-08-09 07:53:22 +02:00
Kconfig ALSA: control - add generic LED trigger module as the new control layer 2021-03-30 15:33:58 +02:00
Makefile ALSA: control - add generic LED trigger module as the new control layer 2021-03-30 15:33:58 +02:00
compress_offload.c ALSA: compress: Initialize mutex in snd_compress_new() 2021-07-15 10:22:38 +02:00
control.c ALSA: control: Minor optimization for SNDRV_CTL_IOCTL_POWER_STATE 2021-05-25 08:49:06 +02:00
control_compat.c ALSA: control: Drop superfluous snd_power_wait() calls 2021-05-25 08:48:49 +02:00
control_led.c ALSA: core: control_led: use strscpy instead of strlcpy 2021-08-13 08:05:17 +02:00
ctljack.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
device.c ALSA: core: Add snd_device_get_state() helper 2020-03-23 18:09:19 +01:00
hrtimer.c ALSA: timer: Replace tasklet with work 2020-09-09 18:32:52 +02:00
hwdep.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
hwdep_compat.c ALSA: compat_ioctl: avoid compat_alloc_user_space 2020-09-21 10:37:07 +02:00
info.c isystem: trim/fixup stdarg.h and other headers 2021-08-19 09:02:55 +09:00
info_oss.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
init.c ALSA: core: Fix double calls of snd_card_free() via devres 2021-07-31 10:36:06 +02:00
isadma.c ALSA: core: Add device-managed request_dma() 2021-07-19 16:16:34 +02:00
jack.c ALSA: jack: implement software jack injection via debugfs 2021-02-02 10:37:07 +01:00
memalloc.c ALSA: memalloc: Count continuous pages in vmalloc buffer handler 2021-08-13 10:17:25 +02:00
memalloc_local.h ALSA: memalloc: Minor refactoring 2021-08-04 08:07:46 +02:00
memory.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
misc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
pcm.c ALSA: pcm: use DEVICE_ATTR_RO macro 2021-05-25 09:00:04 +02:00
pcm_compat.c ALSA: pcm: Workaround for a wrong offset in SYNC_PTR compat ioctl 2021-10-11 18:10:47 +02:00
pcm_dmaengine.c ASoC: dmaengine_pcm: add peripheral configuration 2021-02-05 17:16:41 +00:00
pcm_drm_eld.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
pcm_iec958.c ALSA: iec958: Split status creation and fill 2021-06-08 17:05:41 +02:00
pcm_lib.c ALSA: pcm: fix divide error in snd_pcm_lib_ioctl 2021-08-27 22:34:12 +02:00
pcm_local.h ALSA: core: Abstract memory alloc helpers 2021-06-10 10:15:21 +02:00
pcm_memory.c ALSA: pcm: Allow exact buffer preallocation 2021-08-04 08:08:06 +02:00
pcm_misc.c ALSA: pcm: Fix assignment in if condition 2021-06-09 17:30:24 +02:00
pcm_native.c ALSA: pcm: Add SNDRV_PCM_INFO_EXPLICIT_SYNC flag 2021-08-14 08:38:25 +02:00
pcm_param_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm_timer.c ALSA: timer: Constify snd_timer_hardware definitions 2020-01-03 09:24:07 +01:00
pcm_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rawmidi.c ALSA: rawmidi: introduce SNDRV_RAWMIDI_IOCTL_USER_PVERSION 2021-09-23 09:26:40 +02:00
rawmidi_compat.c ALSA: rawmidi: Add framing mode 2021-05-17 16:02:44 +02:00
seq_device.c ALSA: seq: Fix a potential UAF by wrong private_free call order 2021-09-30 14:13:22 +02:00
sgbuf.c ALSA: memalloc: Fix mmap of SG-buffer with WC pages 2021-08-08 10:01:33 +02:00
sound.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
sound_oss.c ALSA: core: Fix assignment in if condition 2021-06-09 17:30:22 +02:00
timer.c ALSA: timer: Fix master timer notification 2021-06-03 09:39:58 +02:00
timer_compat.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
vmaster.c ALSA: Replace the word "slave" in vmaster API 2020-07-20 10:10:47 +02:00