sound: Check for offset overflow in dsp_mmap_single()

Approved by:	so
Security:	FreeBSD-SA-26:27.sound
Security:	CVE-2026-45258
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Christos Margiolis
2026-05-27 17:50:33 +02:00
committed by Mark Johnston
parent 3444414cb4
commit 1bb8212df1
3 changed files with 55 additions and 0 deletions
+3
View File
@@ -1920,6 +1920,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset,
struct pcm_channel *wrch, *rdch, *c;
int err;
if (*offset >= *offset + size)
return (EINVAL);
/*
* https://lists.freebsd.org/pipermail/freebsd-emulation/2007-June/003698.html
*/
+1
View File
@@ -2,6 +2,7 @@ PACKAGE= tests
TESTSDIR= ${TESTSBASE}/sys/sound
ATF_TESTS_C+= mmap
ATF_TESTS_C+= pcm_read_write
ATF_TESTS_C+= polling
ATF_TESTS_C+= sndstat
+51
View File
@@ -0,0 +1,51 @@
/*-
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright (c) 2026 The FreeBSD Foundation
*/
#include <sys/mman.h>
#include <sys/soundcard.h>
#include <atf-c.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#define FMT_ERR(s) s ": %s", strerror(errno)
ATF_TC(mmap_offset_overflow);
ATF_TC_HEAD(mmap_offset_overflow, tc)
{
atf_tc_set_md_var(tc, "descr", "mmap offset overflow test");
atf_tc_set_md_var(tc, "require.kmods", "snd_dummy");
}
ATF_TC_BODY(mmap_offset_overflow, tc)
{
uint8_t *buf;
off_t off;
size_t len;
int fd;
fd = open("/dev/dsp.dummy", O_RDWR);
ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open"));
/* off + len will overflow and wrap back to 0. */
off = 0xfffffffffffff000;
len = 0x1000;
buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off);
ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap"));
munmap(buf, len);
close(fd);
}
ATF_TP_ADD_TCS(tp)
{
ATF_TP_ADD_TC(tp, mmap_offset_overflow);
return (atf_no_error());
}