sound: BUG in snd_ctl_find_numid

[Dmitry Vyukov]

Hello,

The following program triggers a BUG in snd_ctl_find_numid:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sound/asound.h>

int main()
{
struct snd_ctl_tlv tlv;
int fd = open("/dev/snd/controlC0", O_RDWR);
tlv.numid = 0;
tlv.length = 8;
ioctl(fd, SNDRV_CTL_IOCTL_TLV_WRITE, &tlv);
return 0;
}

------------[ cut here ]------------
WARNING: CPU: 1 PID: 29204 at sound/core/control.c:668
snd_ctl_find_numid+0xff/0x130()
Modules linked in:
CPU: 1 PID: 29204 Comm: a.out Tainted: G W 4.4.0+ #259
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88005e55fb30 ffffffff8298accd 0000000000000000
ffff8800647caf80 ffffffff86d23d80 ffff88005e55fb70 ffffffff81352089
ffffffff84f16b3f ffffffff86d23d80 000000000000029c ffff88002402cb60
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff8298accd>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<ffffffff84f16b3f>] snd_ctl_find_numid+0xff/0x130 sound/core/control.c:668
[<ffffffff84f1caf9>] snd_ctl_tlv_ioctl+0x119/0x680 sound/core/control.c:1409
[<ffffffff84f1f88b>] snd_ctl_ioctl+0x24b/0xdd0 sound/core/control.c:1501
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817ebfac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817ece5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[<ffffffff863259b6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace 010bca66b8d6c52a ]---

On commit 5807fcaa9bf7dd87241df739161c119cf78a6bc4.

[Takashi Iwai]

On Mon, 18 Jan 2016 13:59:49 +0100,
Dmitry Vyukov wrote:
>
> Hello,
>
> The following program triggers a BUG in snd_ctl_find_numid:

Do I understand correctly that you meant a kernel WARNING with a stack
trace as a "BUG"? If so, the patch below should cover it.


thanks,

Takashi

-- 8< --
From: Takashi Iwai <ti...@suse.de>
Subject: [PATCH] ALSA: control: Avoid kernel warnings from tlv ioctl with
numid 0

When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call. The check was
intended obviously only for a kernel driver, but not for a user
interaction. Let's fix it.

This was spotted by syzkaller fuzzer.

Reported-by: Dmitry Vyukov <dvy...@google.com>
Cc: <sta...@vger.kernel.org>
Signed-off-by: Takashi Iwai <ti...@suse.de>
---
sound/core/control.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/sound/core/control.c b/sound/core/control.c
index 196a6fe100ca..a85d45595d02 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
return -EFAULT;
if (tlv.length < sizeof(unsigned int) * 2)
return -EINVAL;
+ if (!tlv.numid)
+ return -EINVAL;
down_read(&card->controls_rwsem);
kctl = snd_ctl_find_numid(card, tlv.numid);
if (kctl == NULL) {
--
2.7.0

[Dmitry Vyukov]

On Mon, Jan 18, 2016 at 2:17 PM, Takashi Iwai <ti...@suse.de> wrote:
> On Mon, 18 Jan 2016 13:59:49 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> The following program triggers a BUG in snd_ctl_find_numid:
>
> Do I understand correctly that you meant a kernel WARNING with a stack
> trace as a "BUG"? If so, the patch below should cover it.

Yes, I guess it's just a BUG warning message.