Re: sound: out-of-bounds write in snd_rawmidi_kernel_write1

On Wed, 03 Feb 2016 14:37:17 +0100, Dmitry Vyukov wrote: > > On Wed, Feb 3, 2016 at 1:02 PM, Takashi Iwai wrote: > > On Wed, 03 Feb 2016 12:39:31 +0100, > > Takashi Iwai wrote: > >> > >> On Wed, 03 Feb 2016 10:41:14 +0100, > >> Takashi Iwai wrote: > >> > > >> > On Wed, 03 Feb 2016 10:35:14 +0100,

Re: sound: out-of-bounds write in snd_rawmidi_kernel_write1

On Wed, Feb 3, 2016 at 1:02 PM, Takashi Iwai wrote: > On Wed, 03 Feb 2016 12:39:31 +0100, > Takashi Iwai wrote: >> >> On Wed, 03 Feb 2016 10:41:14 +0100, >> Takashi Iwai wrote: >> > >> > On Wed, 03 Feb 2016 10:35:14 +0100, >> > Takashi Iwai wrote: >> > > >> > > On Wed, 03 Feb 2016 09:57:50 +0100,

Re: sound: out-of-bounds write in snd_rawmidi_kernel_write1

On Wed, Feb 3, 2016 at 10:35 AM, Takashi Iwai wrote: > On Wed, 03 Feb 2016 09:57:50 +0100, > Dmitry Vyukov wrote: >> >> Hello, >> >> The following program triggers an out-of-bounds write in >> snd_rawmidi_kernel_write1 (run in parallel loop). It seems to try to >> copy -1 bytes (aka 4GB) from user

Re: sound: out-of-bounds write in snd_rawmidi_kernel_write1

On Wed, 03 Feb 2016 12:39:31 +0100, Takashi Iwai wrote: > > On Wed, 03 Feb 2016 10:41:14 +0100, > Takashi Iwai wrote: > > > > On Wed, 03 Feb 2016 10:35:14 +0100, > > Takashi Iwai wrote: > > > > > > On Wed, 03 Feb 2016 09:57:50 +0100, > > > Dmitry Vyukov wrote: > > > > > > > > Hello, > > > > >

Re: sound: out-of-bounds write in snd_rawmidi_kernel_write1

On Wed, 03 Feb 2016 10:41:14 +0100, Takashi Iwai wrote: > > On Wed, 03 Feb 2016 10:35:14 +0100, > Takashi Iwai wrote: > > > > On Wed, 03 Feb 2016 09:57:50 +0100, > > Dmitry Vyukov wrote: > > > > > > Hello, > > > > > > The following program triggers an out-of-bounds write in > > > snd_rawmidi_ke

Re: sound: out-of-bounds write in snd_rawmidi_kernel_write1

On Wed, 03 Feb 2016 10:35:14 +0100, Takashi Iwai wrote: > > On Wed, 03 Feb 2016 09:57:50 +0100, > Dmitry Vyukov wrote: > > > > Hello, > > > > The following program triggers an out-of-bounds write in > > snd_rawmidi_kernel_write1 (run in parallel loop). It seems to try to > > copy -1 bytes (aka 4

Re: sound: out-of-bounds write in snd_rawmidi_kernel_write1

On Wed, 03 Feb 2016 09:57:50 +0100, Dmitry Vyukov wrote: > > Hello, > > The following program triggers an out-of-bounds write in > snd_rawmidi_kernel_write1 (run in parallel loop). It seems to try to > copy -1 bytes (aka 4GB) from user space into kernel smashing all on > its way. What card is /d

sound: out-of-bounds write in snd_rawmidi_kernel_write1

Hello, The following program triggers an out-of-bounds write in snd_rawmidi_kernel_write1 (run in parallel loop). It seems to try to copy -1 bytes (aka 4GB) from user space into kernel smashing all on its way. == BUG: KASAN: use-afte