Date: Tue, 09 Jun 2026 19:17:47 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Christos Margiolis <christos@FreeBSD.org> Subject: git: 144f59e06f9b - stable/14 - sound: Check for offset overflow in dsp_mmap_single() Message-ID: <6a2866db.3e521.5867a12d@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=144f59e06f9bff4afb56370a9d03965ab158058f commit 144f59e06f9bff4afb56370a9d03965ab158058f Author: Christos Margiolis <christos@FreeBSD.org> AuthorDate: 2026-05-27 15:50:33 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-06-09 19:15:21 +0000 sound: Check for offset overflow in dsp_mmap_single() Approved by: so Security: FreeBSD-SA-26:27.sound Security: CVE-2026-45258 Reviewed by: markj Sponsored by: The FreeBSD Foundation --- sys/dev/sound/pcm/dsp.c | 3 +++ tests/sys/sound/Makefile | 1 + tests/sys/sound/mmap.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c index 1856a348ac12..75293ae9bd8a 100644 --- a/sys/dev/sound/pcm/dsp.c +++ b/sys/dev/sound/pcm/dsp.c @@ -1954,6 +1954,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset, struct pcm_channel *wrch, *rdch, *c; int err; + if (*offset >= *offset + size) + return (EINVAL); + /* * Reject PROT_EXEC by default. It just doesn't makes sense. * Unfortunately, we have to give up this one due to linux_mmap diff --git a/tests/sys/sound/Makefile b/tests/sys/sound/Makefile index 74a0765a0540..ce156ae8c4cf 100644 --- a/tests/sys/sound/Makefile +++ b/tests/sys/sound/Makefile @@ -2,6 +2,7 @@ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/sound +ATF_TESTS_C+= mmap ATF_TESTS_C+= pcm_read_write ATF_TESTS_C+= sndstat diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c new file mode 100644 index 000000000000..ab203a39194c --- /dev/null +++ b/tests/sys/sound/mmap.c @@ -0,0 +1,51 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2026 The FreeBSD Foundation + */ + +#include <sys/mman.h> +#include <sys/soundcard.h> + +#include <atf-c.h> +#include <errno.h> +#include <fcntl.h> +#include <unistd.h> + +#define FMT_ERR(s) s ": %s", strerror(errno) + +ATF_TC(mmap_offset_overflow); +ATF_TC_HEAD(mmap_offset_overflow, tc) +{ + atf_tc_set_md_var(tc, "descr", "mmap offset overflow test"); + atf_tc_set_md_var(tc, "require.kmods", "snd_dummy"); +} + +ATF_TC_BODY(mmap_offset_overflow, tc) +{ + uint8_t *buf; + off_t off; + size_t len; + int fd; + + fd = open("/dev/dsp0", O_RDWR); + ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open")); + + /* off + len will overflow and wrap back to 0. */ + off = 0xfffffffffffff000; + len = 0x1000; + + buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off); + ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap")); + + munmap(buf, len); + + close(fd); +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, mmap_offset_overflow); + + return (atf_no_error()); +}home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a2866db.3e521.5867a12d>