diff options
author | Oswald Buddenhagen <oswald.buddenhagen@gmx.de> | 2023-05-14 20:03:19 +0300 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2023-05-15 23:06:19 +0300 |
commit | 1a38ae579606dae836dced573d5ffa78cce6fc48 (patch) | |
tree | 2140a9898befdc7850f6a4f33d5d34db82ceb9fe /sound/pci/emu10k1/emufx.c | |
parent | bb5ceb43b7bfa166fd5d739d51ad46c1cfb225e3 (diff) | |
download | linux-1a38ae579606dae836dced573d5ffa78cce6fc48.tar.xz |
ALSA: emu10k1: validate min/max values of translated controls
User space could pass arbitrary ranges, which were uncritically
accepted. This could lead to table lookups out of range.
I don't think that this is a security issue, as it only allowed someone
with CAP_SYS_ADMIN to crash the kernel, but still.
Setting an invalid translation mode will also be rejected now. That did
no harm, but it's still better to detect errors.
Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Link: https://lore.kernel.org/r/20230514170323.3408834-4-oswald.buddenhagen@gmx.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/pci/emu10k1/emufx.c')
-rw-r--r-- | sound/pci/emu10k1/emufx.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c index fbc1bfc122fc..796e24b6f01a 100644 --- a/sound/pci/emu10k1/emufx.c +++ b/sound/pci/emu10k1/emufx.c @@ -769,6 +769,32 @@ static int snd_emu10k1_verify_controls(struct snd_emu10k1 *emu, err = -EINVAL; goto __error; } + switch (gctl->translation) { + case EMU10K1_GPR_TRANSLATION_NONE: + break; + case EMU10K1_GPR_TRANSLATION_TABLE100: + if (gctl->min != 0 || gctl->max != 100) { + err = -EINVAL; + goto __error; + } + break; + case EMU10K1_GPR_TRANSLATION_BASS: + case EMU10K1_GPR_TRANSLATION_TREBLE: + if (gctl->min != 0 || gctl->max != 40) { + err = -EINVAL; + goto __error; + } + break; + case EMU10K1_GPR_TRANSLATION_ONOFF: + if (gctl->min != 0 || gctl->max != 1) { + err = -EINVAL; + goto __error; + } + break; + default: + err = -EINVAL; + goto __error; + } } for (i = 0; i < icode->gpr_list_control_count; i++) { /* FIXME: we need to check the WRITE access */ |