From patchwork Fri Aug 18 15:58:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 1822999 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=ZcraEF7O; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RS64v1ML7z1yfn for ; Sat, 19 Aug 2023 01:59:27 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qX1sD-0005J7-Ix; Fri, 18 Aug 2023 11:58:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qX1sC-0005Il-GU for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:58:52 -0400 Received: from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qX1sA-0004wa-Ad for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:58:52 -0400 Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-317f1c480eeso961391f8f.2 for ; Fri, 18 Aug 2023 08:58:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1692374328; x=1692979128; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GiLjnG2DY03Yn8ZcFWzWxO2i88SwNhYf8beW+L7aAF8=; b=ZcraEF7Otpa9r+c4gjxjJ0ZKZB9NuCnPbo8DRkN5+7IHbEbTsivD+A8jXe4ScS3iD+ FbUfyTNDGrPs3qxaU1DpKrX7rOWMkb9XBX7OUvgoJZEPuw+MkevpkjH7neJwIjNCwBbE F3R6Qwlu5uyo5nf/M+O0SPkOH1X870miIa/Pm5rzkWN7VkGbgvdadYI7lo3OnWDVLfLS 1n/7HFV/oJq+Bre3EzI7yits04+lJh3DwXgkhj8fwGh8cokLZvI9WaYEEdYM2kBTgQzw WPImbvzhdbKKBllk3iEHl5a+reXUd3LX1Wg6hk5ZIKH7TDl4prKOXqZZyWzFTbCm3UBu Nrgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692374328; x=1692979128; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GiLjnG2DY03Yn8ZcFWzWxO2i88SwNhYf8beW+L7aAF8=; b=TaFuBHfdTAlEc58Qq8N8P6czWbYZ+RLpXhRJqvOEWeau9syoVO6IHd+epahGZwS0Sn 50S8+CgJz7upOzm3Ey5O14YXnYAA0LFgzMvuRVpaq433mwEvIE72oN0gN4Ls4vc/w9gO eIgUpp6MS4OmFeZDa68M7g1AhydnDhyx4STyOMrpY4bus6gG+dR5LvrInw2ib1GC6atA jgWYq/DyYrftzhWRFS6pPDLVGjP0prZB152sDWJPr8ve/ZbE607yPDKuF2oYaA4F1G1Q S5flK4887r6vnfGVFDZtByeS9Yg8sQt1B6m5JQMLz6bQADhu7AT28f5ec2Bq00cAad8G eYRg== X-Gm-Message-State: AOJu0Yz0B1mr6Fq5pTbI05xTly0hZZphiYcA99gguYMEQ5sZDvqCviqN WsHYqmnM/3U28I26xZlLNDiRn3M47QMwmGtgkGY= X-Google-Smtp-Source: AGHT+IFcvXwOeyX1gml07wwECoRmqLU3TxUezM3bRCMBGWeSqNGgBLBl1pY40uA4tAOpUYIsez3niw== X-Received: by 2002:adf:f186:0:b0:319:8a5a:ab5e with SMTP id h6-20020adff186000000b003198a5aab5emr2304939wro.38.1692374328298; Fri, 18 Aug 2023 08:58:48 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id y21-20020a7bcd95000000b003fbb346279dsm3275702wmj.38.2023.08.18.08.58.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Aug 2023 08:58:48 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , Christian Schoenebeck Subject: [PATCH 1/2] audio/jackaudio: Avoid dynamic stack allocation in qjack_client_init Date: Fri, 18 Aug 2023 16:58:45 +0100 Message-Id: <20230818155846.1651287-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230818155846.1651287-1-peter.maydell@linaro.org> References: <20230818155846.1651287-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::42c; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x42c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Avoid a dynamic stack allocation in qjack_client_init(), by using a g_autofree heap allocation instead. (We stick with allocate + snprintf() because the JACK API requires the name to be no more than its maximum size, so g_strdup_printf() would require an extra truncation step.) The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Reviewed-by: Francisco Iglesias Reviewed-by: Christian Schoenebeck --- audio/jackaudio.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/audio/jackaudio.c b/audio/jackaudio.c index 5bdf3d7a78d..7cb2a49f971 100644 --- a/audio/jackaudio.c +++ b/audio/jackaudio.c @@ -400,7 +400,8 @@ static void qjack_client_connect_ports(QJackClient *c) static int qjack_client_init(QJackClient *c) { jack_status_t status; - char client_name[jack_client_name_size()]; + int client_name_len = jack_client_name_size(); /* includes NUL */ + g_autofree char *client_name = g_new(char, client_name_len); jack_options_t options = JackNullOption; if (c->state == QJACK_STATE_RUNNING) { @@ -409,7 +410,7 @@ static int qjack_client_init(QJackClient *c) c->connect_ports = true; - snprintf(client_name, sizeof(client_name), "%s-%s", + snprintf(client_name, client_name_len, "%s-%s", c->out ? "out" : "in", c->opt->client_name ? c->opt->client_name : audio_application_name()); From patchwork Fri Aug 18 15:58:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 1822998 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=N+simupB; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=patchwork.ozlabs.org) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RS64c5FXFz1yfn for ; Sat, 19 Aug 2023 01:59:12 +1000 (AEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qX1sE-0005Ja-RH; Fri, 18 Aug 2023 11:58:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qX1sD-0005J5-DI for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:58:53 -0400 Received: from mail-wm1-x335.google.com ([2a00:1450:4864:20::335]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qX1sA-0004wd-FL for qemu-devel@nongnu.org; Fri, 18 Aug 2023 11:58:53 -0400 Received: by mail-wm1-x335.google.com with SMTP id 5b1f17b1804b1-3fe45481edfso10489335e9.1 for ; Fri, 18 Aug 2023 08:58:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1692374329; x=1692979129; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Tt8gFXZAVgdSU8JxW7d1fDhLvNPeIviD1msZV2xcw/0=; b=N+simupBpQC/XNMuPjHaVTjvwF9Q5bN3vSU5CC15EUYwYKLzB9ltQr8cKJBWZN2LFV 7k71gTogBVFVAW/evF27LAF+9/Hcj2nOw0NfcERIhN9rze1cwLUjlTz0dLlMdbrLVsH6 BU1rkPegAWei2ocylJTtb6+GAMoBLraY7DI7J9PAttJNk++hjaP0XzRZV3gWoifBfN7z kQknWNx2DxI8XAznWDIMw0H/B10bq3Jae86KhKFc7rS+b/2e32mChg+UH58VFWwdUpvG OJlgVQ5J6VoOIOScvJpwT3SUS62xLoLNNDSl4aJQSw5bJInBfJHZW23LgddpYNsmsIT0 vwgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692374329; x=1692979129; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Tt8gFXZAVgdSU8JxW7d1fDhLvNPeIviD1msZV2xcw/0=; b=CLg6fS1Z2dlUh3lxr2JLXIB2XizDnP86VUq41CM8BxJsHMzwu9rQ3XseKWQGeXF6xI jYp7bmc02HDJep9BKy+jxh63a3wtQqSCQhsW+wybQRgeuGFCSE7UoFYQ+EFRgFpqy7RG Gtf5iEUZlh0dZouWyB41di+f93Pk38WLSRwsG9yAgOt28J4F4PL43mmikKKKsqWHbXTN qKbBWwx8P8oZDDAeY0dmDhlplyLJ7btGlLO2q/AcITc0wCzwDFxR3w/a3bRZD3jdDiPs jNIiWmpLunv3/POvyH46PscX6+Gw7cSEVGhGRX3MppWNlRY03TB/2VSeJmDKuj7WxKVB 5r0A== X-Gm-Message-State: AOJu0YxBRToDVKtvwAWlfL3dFm5Pts0O0sgb6CAp7ol/T80xRXztmbMk Ei4O3ny5D5ffjfTl3HW8glsvWbpH2DKvQ19932k= X-Google-Smtp-Source: AGHT+IHrRHQAa8psh6HkaX5DtFA1zBhnSH53y7d1O3vf6UXmyS3CdSOmIoDaAixhXM5u5J6Xa3raDQ== X-Received: by 2002:a7b:cb8e:0:b0:3f8:fc96:6bfd with SMTP id m14-20020a7bcb8e000000b003f8fc966bfdmr2461506wmi.17.1692374328768; Fri, 18 Aug 2023 08:58:48 -0700 (PDT) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by smtp.gmail.com with ESMTPSA id y21-20020a7bcd95000000b003fbb346279dsm3275702wmj.38.2023.08.18.08.58.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Aug 2023 08:58:48 -0700 (PDT) From: Peter Maydell To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , Christian Schoenebeck Subject: [PATCH 2/2] audio/jackaudio: Avoid dynamic stack allocation in qjack_process() Date: Fri, 18 Aug 2023 16:58:46 +0100 Message-Id: <20230818155846.1651287-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230818155846.1651287-1-peter.maydell@linaro.org> References: <20230818155846.1651287-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::335; envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x335.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Avoid a dynamic stack allocation in qjack_process(). Since this function is a JACK process callback, we are not permitted to malloc() here, so we allocate a working buffer in qjack_client_init() instead. The codebase has very few VLAs, and if we can get rid of them all we can make the compiler error on new additions. This is a defensive measure against security bugs where an on-stack dynamic allocation isn't correctly size-checked (e.g. CVE-2021-3527). Signed-off-by: Peter Maydell Reviewed-by: Francisco Iglesias Reviewed-by: Christian Schoenebeck --- This feels like we ought to be able to say "we know there are at most X channels, so allocate an array of size X on the stack", but I couldn't find anything in the audio subsystem from a quick look that set an obvious bound on the number of channels. Is there some straightforward constant MAX_CHANNELS somewhere? --- audio/jackaudio.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/audio/jackaudio.c b/audio/jackaudio.c index 7cb2a49f971..e1eaa3477dc 100644 --- a/audio/jackaudio.c +++ b/audio/jackaudio.c @@ -70,6 +70,9 @@ typedef struct QJackClient { int buffersize; jack_port_t **port; QJackBuffer fifo; + + /* Used as workspace by qjack_process() */ + float **process_buffers; } QJackClient; @@ -267,22 +270,21 @@ static int qjack_process(jack_nframes_t nframes, void *arg) } /* get the buffers for the ports */ - float *buffers[c->nchannels]; for (int i = 0; i < c->nchannels; ++i) { - buffers[i] = jack_port_get_buffer(c->port[i], nframes); + c->process_buffers[i] = jack_port_get_buffer(c->port[i], nframes); } if (c->out) { if (likely(c->enabled)) { - qjack_buffer_read_l(&c->fifo, buffers, nframes); + qjack_buffer_read_l(&c->fifo, c->process_buffers, nframes); } else { for (int i = 0; i < c->nchannels; ++i) { - memset(buffers[i], 0, nframes * sizeof(float)); + memset(c->process_buffers[i], 0, nframes * sizeof(float)); } } } else { if (likely(c->enabled)) { - qjack_buffer_write_l(&c->fifo, buffers, nframes); + qjack_buffer_write_l(&c->fifo, c->process_buffers, nframes); } } @@ -448,6 +450,9 @@ static int qjack_client_init(QJackClient *c) jack_get_client_name(c->client)); } + /* Allocate working buffer for process callback */ + c->process_buffers = g_new(float *, c->nchannels); + jack_set_process_callback(c->client, qjack_process , c); jack_set_port_registration_callback(c->client, qjack_port_registration, c); jack_set_xrun_callback(c->client, qjack_xrun, c); @@ -579,6 +584,7 @@ static void qjack_client_fini_locked(QJackClient *c) qjack_buffer_free(&c->fifo); g_free(c->port); + g_free(c->process_buffers); c->state = QJACK_STATE_DISCONNECTED; /* fallthrough */