CVE-2022-48702

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()<br /> <br /> The voice allocator sometimes begins allocating from near the end of the<br /> array and then wraps around, however snd_emu10k1_pcm_channel_alloc()<br /> accesses the newly allocated voices as if it never wrapped around.<br /> <br /> This results in out of bounds access if the first voice has a high enough<br /> index so that first_voice + requested_voice_count &gt; NUM_G (64).<br /> The more voices are requested, the more likely it is for this to occur.<br /> <br /> This was initially discovered using PipeWire, however it can be reproduced<br /> by calling aplay multiple times with 16 channels:<br /> aplay -r 48000 -D plughw:CARD=Live,DEV=3 -c 16 /dev/zero<br /> <br /> UBSAN: array-index-out-of-bounds in sound/pci/emu10k1/emupcm.c:127:40<br /> index 65 is out of range for type &amp;#39;snd_emu10k1_voice [64]&amp;#39;<br /> CPU: 1 PID: 31977 Comm: aplay Tainted: G W IOE 6.0.0-rc2-emu10k1+ #7<br /> Hardware name: ASUSTEK COMPUTER INC P5W DH Deluxe/P5W DH Deluxe, BIOS 3002 07/22/2010<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x49/0x63<br /> dump_stack+0x10/0x16<br /> ubsan_epilogue+0x9/0x3f<br /> __ubsan_handle_out_of_bounds.cold+0x44/0x49<br /> snd_emu10k1_playback_hw_params+0x3bc/0x420 [snd_emu10k1]<br /> snd_pcm_hw_params+0x29f/0x600 [snd_pcm]<br /> snd_pcm_common_ioctl+0x188/0x1410 [snd_pcm]<br /> ? exit_to_user_mode_prepare+0x35/0x170<br /> ? do_syscall_64+0x69/0x90<br /> ? syscall_exit_to_user_mode+0x26/0x50<br /> ? do_syscall_64+0x69/0x90<br /> ? exit_to_user_mode_prepare+0x35/0x170<br /> snd_pcm_ioctl+0x27/0x40 [snd_pcm]<br /> __x64_sys_ioctl+0x95/0xd0<br /> do_syscall_64+0x5c/0x90<br /> ? do_syscall_64+0x69/0x90<br /> ? do_syscall_64+0x69/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd