Commit 1a38ae57 authored by Oswald Buddenhagen's avatar Oswald Buddenhagen Committed by Takashi Iwai
Browse files

ALSA: emu10k1: validate min/max values of translated controls



User space could pass arbitrary ranges, which were uncritically
accepted. This could lead to table lookups out of range.

I don't think that this is a security issue, as it only allowed someone
with CAP_SYS_ADMIN to crash the kernel, but still.

Setting an invalid translation mode will also be rejected now. That did
no harm, but it's still better to detect errors.

Signed-off-by: default avatarOswald Buddenhagen <oswald.buddenhagen@gmx.de>
Link: https://lore.kernel.org/r/20230514170323.3408834-4-oswald.buddenhagen@gmx.de


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent bb5ceb43
Loading
Loading
Loading
Loading
+26 −0
Original line number Diff line number Diff line
@@ -769,6 +769,32 @@ static int snd_emu10k1_verify_controls(struct snd_emu10k1 *emu,
			err = -EINVAL;
			goto __error;
		}
		switch (gctl->translation) {
		case EMU10K1_GPR_TRANSLATION_NONE:
			break;
		case EMU10K1_GPR_TRANSLATION_TABLE100:
			if (gctl->min != 0 || gctl->max != 100) {
				err = -EINVAL;
				goto __error;
			}
			break;
		case EMU10K1_GPR_TRANSLATION_BASS:
		case EMU10K1_GPR_TRANSLATION_TREBLE:
			if (gctl->min != 0 || gctl->max != 40) {
				err = -EINVAL;
				goto __error;
			}
			break;
		case EMU10K1_GPR_TRANSLATION_ONOFF:
			if (gctl->min != 0 || gctl->max != 1) {
				err = -EINVAL;
				goto __error;
			}
			break;
		default:
			err = -EINVAL;
			goto __error;
		}
	}
	for (i = 0; i < icode->gpr_list_control_count; i++) {
	     	/* FIXME: we need to check the WRITE access */