{ "id": "CVE-2022-49292", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-02-26T07:01:06.047", "lastModified": "2025-02-26T07:01:06.047", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: oss: Fix PCM OSS buffer allocation overflow\n\nWe've got syzbot reports hitting INT_MAX overflow at vmalloc()\nallocation that is called from snd_pcm_plug_alloc(). Although we\napply the restrictions to input parameters, it's based only on the\nhw_params of the underlying PCM device. Since the PCM OSS layer\nallocates a temporary buffer for the data conversion, the size may\nbecome unexpectedly large when more channels or higher rates is given;\nin the reported case, it went over INT_MAX, hence it hits WARN_ON().\n\nThis patch is an attempt to avoid such an overflow and an allocation\nfor too large buffers. First off, it adds the limit of 1MB as the\nupper bound for period bytes. This must be large enough for all use\ncases, and we really don't want to handle a larger temporary buffer\nthan this size. The size check is performed at two places, where the\noriginal period bytes is calculated and where the plugin buffer size\nis calculated.\n\nIn addition, the driver uses array_size() and array3_size() for\nmultiplications to catch overflows for the converted period size and\nbuffer bytes." }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ALSA: oss: Fix PCM OSS buffer assignment overflow Tenemos informes de syzbot que alcanzan un desbordamiento de INT_MAX en la asignaci\u00f3n de vmalloc() que se llama desde snd_pcm_plug_alloc(). Aunque aplicamos las restricciones a los par\u00e1metros de entrada, se basa solo en hw_params del dispositivo PCM subyacente. Dado que la capa PCM OSS asigna un b\u00fafer temporal para la conversi\u00f3n de datos, el tama\u00f1o puede volverse inesperadamente grande cuando se dan m\u00e1s canales o velocidades m\u00e1s altas; en el caso informado, super\u00f3 INT_MAX, por lo tanto, alcanza WARN_ON(). Este parche es un intento de evitar dicho desbordamiento y una asignaci\u00f3n para b\u00faferes demasiado grandes. En primer lugar, agrega el l\u00edmite de 1 MB como l\u00edmite superior para bytes de per\u00edodo. Esto debe ser lo suficientemente grande para todos los casos de uso, y realmente no queremos manejar un b\u00fafer temporal m\u00e1s grande que este tama\u00f1o. La comprobaci\u00f3n del tama\u00f1o se realiza en dos lugares: donde se calculan los bytes del per\u00edodo original y donde se calcula el tama\u00f1o del b\u00fafer del complemento. Adem\u00e1s, el controlador utiliza array_size() y array3_size() para las multiplicaciones con el fin de detectar desbordamientos en el tama\u00f1o del per\u00edodo convertido y los bytes del b\u00fafer." } ], "metrics": {}, "references": [ { "url": "https://git.kernel.org/stable/c/0c4190b41a69990666b4000999e27f8f1b2a426b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/5ce74ff7059341d8b2f4d01c3383491df63d1898", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/7a40cbf3579a8e14849ba7ce46309c1992658d2b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/a63af1baf0a5e11827db60e3127f87e437cab6e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/e74a069c6a7bb505f3ade141dddf85f4b0b5145a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/efb6402c3c4a7c26d97c92d70186424097b6e366", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/fb08bf99195a87c798bc8ae1357337a981faeade", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" } ] }