search

linux-test-project / ltp

Linux Test Project (mailing list: https://lists.linux.it/listinfo/ltp)
https://linux-test-project.readthedocs.io/
GNU General Public License v2.0
2.28k stars 1k forks source link

Write a regression test for CVE-2022-1048 #935

Open mdoucha opened 2 years ago

mdoucha commented 2 years ago

https://bugzilla.suse.com/show_bug.cgi?id=1197331

SAFE_FILE_PRINTF("/proc/asound/card*/pcm*/sub*/prealloc", "0"); in setup() is required to reproduce the bug without KASAN.

coolgw commented 1 year ago

Try to reproduce with qemu VM with following command(enable audio dev) -audiodev alsa,id=snd0 -machine pcspk-audiodev=snd0 -device ac97,audiodev=snd0

Kernel use self build version 5.17.0-rc8 without fix

Also debug trace make sure free function can be reached when run reproduce code: Breakpoint 2, snd_pcm_lib_free_pages (substream=substream@entry=0xffff88800423de00) at sound/core/pcm_memory.c:456 456 if (PCM_RUNTIME_CHECK(substream)) (gdb) 459 if (runtime->dma_area == NULL) (gdb) 461 if (runtime->dma_buffer_p != &substream->dma_buffer) { (gdb) 463 do_free_pages(card, runtime->dma_buffer_p);

But still can not reproduce this issue : (