[-next] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
Message ID | 20221121043625.2910001-1-zhongbaisong@huawei.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp1387417wrr; Sun, 20 Nov 2022 20:41:41 -0800 (PST) X-Google-Smtp-Source: AA0mqf6utjqzOUxr/9+g1wd5Jxntmgpx3H7G657gRiqPtK4OK1B9yYAft/w+pj7Xly1XgvT4+//p X-Received: by 2002:a17:90a:d811:b0:213:aa8:dda with SMTP id a17-20020a17090ad81100b002130aa80ddamr19181637pjv.111.1669005700772; Sun, 20 Nov 2022 20:41:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669005700; cv=none; d=google.com; s=arc-20160816; b=MfF8Pls9DpBJvAhoCazw4oGYbZ25KSol3i59Y46cRkghTPx2D0BTiwH+0coJa3+5lj MaayyZfalvoKIZRNpFnh8FhqLMxlyMl7gsVRF55zjqJfBr6c2TbCZy9BFBSj1CSx6kmx PLAUUXw4OObmECfqPdJH3cwwrBM6mAc/xECQ4HDqQ2/wBsKb9+XDlQP078GGwMNV2MFk DfH2k4274B7n7mIGB9IkoDkCgzg0yPk2Lm1l2Js1Cq0uWz9GjZU412tXfIb0k8jcLAHR 5pK5qZ78gjCcG2xelEtfBf1ttOVx7HqXHH9FWkPoaNj1RYXNS39vKiWCRrwjd4bFuTcA Lq5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=a4IuOC/7NImBc3GCYLK/eOgHo0nLO4czXpAlXu6Bgvw=; b=YQMU2fIbaWSK8iww/scQLtg2jKZWrF6JTAemQkJD83U+4pbgE4dd3FWnp6AMz4BO2K OosxaR71VdWESd7DzcohLl1MqZRaj2VwpKrOAeUlXU/kKQUwuGOUGBHC4u4QUed/LTAO dfu8QzKEpgsHi2CYNJbtX2INSbyZWu2U6dOB7lqJHdtaDkIF+B4Kn1c8r9X+JDp/JftD wh4I6LQ71RX6V/EJYBYeKxYeq9QFxEqDcs7/QqFnWDVJ7Gc0Q6HHNHW5WXRsmlsX6aSR nAS4Fb9Ud4lcR/FTdv7moTvjw1id5y+dgwDpu07uZZ/0XM62Yrt5NlmDG2ivbOZfkhLl zkuQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n3-20020a638f03000000b0046fcbcb7422si10796995pgd.45.2022.11.20.20.41.26; Sun, 20 Nov 2022 20:41:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229658AbiKUEgd (ORCPT <rfc822;leviz.kernel.dev@gmail.com> + 99 others); Sun, 20 Nov 2022 23:36:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbiKUEga (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Sun, 20 Nov 2022 23:36:30 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9380126559 for <linux-kernel@vger.kernel.org>; Sun, 20 Nov 2022 20:36:27 -0800 (PST) Received: from canpemm500005.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4NFvhv1CvbzRpQf; Mon, 21 Nov 2022 12:35:59 +0800 (CST) Received: from huawei.com (10.175.104.82) by canpemm500005.china.huawei.com (7.192.104.229) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 21 Nov 2022 12:36:25 +0800 From: Baisong Zhong <zhongbaisong@huawei.com> To: <linux-kernel@vger.kernel.org>, <alsa-devel@alsa-project.org> CC: <perex@perex.cz>, <tiwai@suse.com>, <zhongbaisong@huawei.com> Subject: [PATCH -next] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT Date: Mon, 21 Nov 2022 12:36:25 +0800 Message-ID: <20221121043625.2910001-1-zhongbaisong@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.104.82] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500005.china.huawei.com (7.192.104.229) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750079321986643946?= X-GMAIL-MSGID: =?utf-8?q?1750079321986643946?= |
Series |
[-next] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
|
|
Commit Message
Baisong Zhong
Nov. 21, 2022, 4:36 a.m. UTC
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22
left shift of 1 by 31 places cannot be represented in type 'int'
...
Call Trace:
<TASK>
dump_stack_lvl+0x8d/0xcf
ubsan_epilogue+0xa/0x44
__ubsan_handle_shift_out_of_bounds+0x1e7/0x208
snd_seq_deliver_single_event.constprop.21+0x191/0x2f0
snd_seq_deliver_event+0x1a2/0x350
snd_seq_kernel_client_dispatch+0x8b/0xb0
snd_seq_client_notify_subscription+0x72/0xa0
snd_seq_ioctl_subscribe_port+0x128/0x160
snd_seq_kernel_client_ctl+0xce/0xf0
snd_seq_oss_create_client+0x109/0x15b
alsa_seq_oss_init+0x11c/0x1aa
do_one_initcall+0x80/0x440
kernel_init_freeable+0x370/0x3c3
kernel_init+0x1b/0x190
ret_from_fork+0x1f/0x30
</TASK>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
---
include/uapi/sound/asequencer.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Mon, 21 Nov 2022 05:36:25 +0100, Baisong Zhong wrote: > > Shifting signed 32-bit value by 31 bits is undefined, so changing > significant bit to unsigned. The UBSAN warning calltrace like below: > > UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22 > left shift of 1 by 31 places cannot be represented in type 'int' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x8d/0xcf > ubsan_epilogue+0xa/0x44 > __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 > snd_seq_deliver_single_event.constprop.21+0x191/0x2f0 > snd_seq_deliver_event+0x1a2/0x350 > snd_seq_kernel_client_dispatch+0x8b/0xb0 > snd_seq_client_notify_subscription+0x72/0xa0 > snd_seq_ioctl_subscribe_port+0x128/0x160 > snd_seq_kernel_client_ctl+0xce/0xf0 > snd_seq_oss_create_client+0x109/0x15b > alsa_seq_oss_init+0x11c/0x1aa > do_one_initcall+0x80/0x440 > kernel_init_freeable+0x370/0x3c3 > kernel_init+0x1b/0x190 > ret_from_fork+0x1f/0x30 > </TASK> > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com> > --- > include/uapi/sound/asequencer.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/uapi/sound/asequencer.h b/include/uapi/sound/asequencer.h > index 6d4a2c60808d..4c5c4dd15d02 100644 > --- a/include/uapi/sound/asequencer.h > +++ b/include/uapi/sound/asequencer.h > @@ -331,7 +331,7 @@ typedef int __bitwise snd_seq_client_type_t; > #define SNDRV_SEQ_FILTER_BROADCAST (1<<0) /* accept broadcast messages */ > #define SNDRV_SEQ_FILTER_MULTICAST (1<<1) /* accept multicast messages */ > #define SNDRV_SEQ_FILTER_BOUNCE (1<<2) /* accept bounce event in error */ > -#define SNDRV_SEQ_FILTER_USE_EVENT (1<<31) /* use event filter */ > +#define SNDRV_SEQ_FILTER_USE_EVENT (1U<<31) /* use event filter */ Similarly like the previous patch for PCM, could you update all SNDRV_SEQ_FILTER_* to 1U for consistency? thanks, Takashi
在 2022/11/21 18:35, Takashi Iwai 写道: > On Mon, 21 Nov 2022 05:36:25 +0100, > Baisong Zhong wrote: >> >> Shifting signed 32-bit value by 31 bits is undefined, so changing >> significant bit to unsigned. The UBSAN warning calltrace like below: >> >> UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22 >> left shift of 1 by 31 places cannot be represented in type 'int' >> ... >> Call Trace: >> <TASK> >> dump_stack_lvl+0x8d/0xcf >> ubsan_epilogue+0xa/0x44 >> __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 >> snd_seq_deliver_single_event.constprop.21+0x191/0x2f0 >> snd_seq_deliver_event+0x1a2/0x350 >> snd_seq_kernel_client_dispatch+0x8b/0xb0 >> snd_seq_client_notify_subscription+0x72/0xa0 >> snd_seq_ioctl_subscribe_port+0x128/0x160 >> snd_seq_kernel_client_ctl+0xce/0xf0 >> snd_seq_oss_create_client+0x109/0x15b >> alsa_seq_oss_init+0x11c/0x1aa >> do_one_initcall+0x80/0x440 >> kernel_init_freeable+0x370/0x3c3 >> kernel_init+0x1b/0x190 >> ret_from_fork+0x1f/0x30 >> </TASK> >> >> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") >> Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com> >> --- >> include/uapi/sound/asequencer.h | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/include/uapi/sound/asequencer.h b/include/uapi/sound/asequencer.h >> index 6d4a2c60808d..4c5c4dd15d02 100644 >> --- a/include/uapi/sound/asequencer.h >> +++ b/include/uapi/sound/asequencer.h >> @@ -331,7 +331,7 @@ typedef int __bitwise snd_seq_client_type_t; >> #define SNDRV_SEQ_FILTER_BROADCAST (1<<0) /* accept broadcast messages */ >> #define SNDRV_SEQ_FILTER_MULTICAST (1<<1) /* accept multicast messages */ >> #define SNDRV_SEQ_FILTER_BOUNCE (1<<2) /* accept bounce event in error */ >> -#define SNDRV_SEQ_FILTER_USE_EVENT (1<<31) /* use event filter */ >> +#define SNDRV_SEQ_FILTER_USE_EVENT (1U<<31) /* use event filter */ > > Similarly like the previous patch for PCM, could you update all > SNDRV_SEQ_FILTER_* to 1U for consistency? > > > thanks, > > Takashi Hi, Takashi Thank you for your suggestion. I will update all SNDRV_SEQ_FILTER_* to 1U for consistency in v2. Baisong Zhong .
diff --git a/include/uapi/sound/asequencer.h b/include/uapi/sound/asequencer.h index 6d4a2c60808d..4c5c4dd15d02 100644 --- a/include/uapi/sound/asequencer.h +++ b/include/uapi/sound/asequencer.h @@ -331,7 +331,7 @@ typedef int __bitwise snd_seq_client_type_t; #define SNDRV_SEQ_FILTER_BROADCAST (1<<0) /* accept broadcast messages */ #define SNDRV_SEQ_FILTER_MULTICAST (1<<1) /* accept multicast messages */ #define SNDRV_SEQ_FILTER_BOUNCE (1<<2) /* accept bounce event in error */ -#define SNDRV_SEQ_FILTER_USE_EVENT (1<<31) /* use event filter */ +#define SNDRV_SEQ_FILTER_USE_EVENT (1U<<31) /* use event filter */ struct snd_seq_client_info { int client; /* client number to inquire */