Commit e71eb028 authored Nov 19, 2024 by Andrey Shumilin Committed by Gu Bowen Nov 19, 2024

ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()

stable inclusion
from stable-v5.10.229
commit 5e431f85c87bbffd93a9830d5a576586f9855291
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2YWV
CVE: CVE-2024-50205

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5e431f85c87bbffd93a9830d5a576586f9855291



--------------------------------

[ Upstream commit 72cafe63b35d06b5cfbaf807e90ae657907858da ]

The step variable is initialized to zero. It is changed in the loop,
but if it's not changed it will remain zero. Add a variable check
before the division.

The observed behavior was introduced by commit 826b5de9
("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"),
and it is difficult to show that any of the interval parameters will
satisfy the snd_interval_test() condition with data from the
amdtp_rate_table[] table.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 826b5de9 ("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size")
Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://patch.msgid.link/20241018060018.1189537-1-shum.sdl@nppct.ru


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Gu Bowen <gubowen5@huawei.com>

parent 60c70978

sound/firewire/amdtp-stream.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -163,6 +163,9 @@ static int apply_constraint_to_size(struct snd_pcm_hw_params *params,
		step = max(step, amdtp_syt_intervals[i]);
		}

		if (step == 0)
		return -EINVAL;

		t.min = roundup(s->min, step);
		t.max = rounddown(s->max, step);
		t.integer = 1;