>Number: 13587
>Category: kern
>Synopsis: Voxware MIXER_READ ioctl corrupts memory
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Sep 5 17:50:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Randall Hopper
>Release: FreeBSD 3.2-RELEASE i386
>Organization:
self
>Environment:
Stock 3.2-RELEASE. Voxware sound drivers. Sound Blaster 32.
controller snd0
device pas0 at isa? port 0x388 irq 10 drq 3
device sb0 at isa? port 0x220 irq 5 drq 1
device sbxvi0 at isa? drq 5
device sbmidi0 at isa? port 0x330
device opl0 at isa? port 0x388
device awe0 at isa? port 0x620
>Description:
int stomp_me = 0x12345678;
unsigned char vol[2];
ioctl( mixer_fd, MIXER_READ( SOUND_MIXER_LINE ), vol )
The ioctl overwrites the lower two bytes of 'stomp_me'. This is
how Linux apps like xmix declare vol, so apparently this is a bug
in our Voxware drivers. xmix may be saved from memory corruption
only by the structure alignment policy of FreeBSD.
>How-To-Repeat:
The output of the following program is:
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <machine/soundcard.h>
#include <assert.h>
int main( int argc, char *argv[] )
{
int mixer_fd, ret, ctrls;
int stomp_me = 0x12345678;
unsigned char vol[2];
mixer_fd = open( "/dev/mixer0", O_RDWR, 0 );
assert( mixer_fd >= 0 );
ret = ioctl( mixer_fd, SOUND_MIXER_READ_DEVMASK, &ctrls );
assert( ret >= 0 );
assert( ctrls & SOUND_MASK_LINE );
ret = ioctl( mixer_fd, MIXER_READ( SOUND_MIXER_LINE ), vol );
assert( ret >= 0 );
printf( "Volume is %d,%d\n", vol[0], vol[1] );
if ( stomp_me != 0x12345678 ) {
fprintf( stderr, "\n\nWhooah! Sound ioctl() stomped memory!\n"
"Value was 0x12345678, now it's 0x%.8x\n",
stomp_me );
exit(1);
}
close( mixer_fd );
return 0;
}
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message