This is a note to let you know that I've just added the patch titled

ALSA: control: Fix memory corruption risk in snd_ctl_elem_read

to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...

The filename of the patch is: alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch and it can be found in the queue-4.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.

From 5a23699a39abc5328921a81b89383d088f6ba9cc Mon Sep 17 00:00:00 2001

From: Richard Fitzgerald rf@opensource.cirrus.com Date: Tue, 27 Feb 2018 17:01:18 +0000 Subject: ALSA: control: Fix memory corruption risk in snd_ctl_elem_read

From: Richard Fitzgerald rf@opensource.cirrus.com

commit 5a23699a39abc5328921a81b89383d088f6ba9cc upstream.

The patch "ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations" introduced a potential for kernel memory corruption due to an incorrect if statement allowing non-readable controls to fall through and call the get function. For TLV controls a driver can omit SNDRV_CTL_ELEM_ACCESS_READ to ensure that only the TLV get function can be called. Instead the normal get() can be invoked unexpectedly and as the driver expects that this will only be called for controls <= 512 bytes, potentially try to copy >512 bytes into the 512 byte return array, so corrupting kernel memory.

The problem is an attempt to refactor the snd_ctl_elem_read function to invert the logic so that it conditionally aborted if the control is unreadable instead of conditionally executing. But the if statement wasn't inverted correctly.

The correct inversion of

if (a && !b)

is if (!a || b)

Fixes: becf9e5d553c2 ("ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations") Signed-off-by: Richard Fitzgerald rf@opensource.cirrus.com Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

--- sound/core/control.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/control.c +++ b/sound/core/control.c @@ -888,7 +888,7 @@ static int snd_ctl_elem_read(struct snd_

index_offset = snd_ctl_get_ioff(kctl, &control->id); vd = &kctl->vd[index_offset]; - if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) && kctl->get == NULL) + if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) return -EPERM;

snd_ctl_build_ioff(&control->id, kctl, index_offset);

Patches currently in stable-queue which might be from rf@opensource.cirrus.com are

queue-4.15/alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch