git: c42ee04c521e - releng/15.0 - sound: Check for offset overflow in dsp_mmap_single()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 09 Jun 2026 19:19:44 UTC
The branch releng/15.0 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=c42ee04c521ed8268421173f961859233a321b17
commit c42ee04c521ed8268421173f961859233a321b17
Author: Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2026-05-27 15:50:33 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-08 15:39:32 +0000
sound: Check for offset overflow in dsp_mmap_single()
Approved by: so
Security: FreeBSD-SA-26:27.sound
Security: CVE-2026-45258
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
---
sys/dev/sound/pcm/dsp.c | 3 +++
tests/sys/sound/Makefile | 1 +
tests/sys/sound/mmap.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+)
diff --git a/sys/dev/sound/pcm/dsp.c b/sys/dev/sound/pcm/dsp.c
index fe5576baf017..72bde9c1066f 100644
--- a/sys/dev/sound/pcm/dsp.c
+++ b/sys/dev/sound/pcm/dsp.c
@@ -1953,6 +1953,9 @@ dsp_mmap_single(struct cdev *i_dev, vm_ooffset_t *offset,
struct pcm_channel *wrch, *rdch, *c;
int err;
+ if (*offset >= *offset + size)
+ return (EINVAL);
+
/*
* Reject PROT_EXEC by default. It just doesn't makes sense.
* Unfortunately, we have to give up this one due to linux_mmap
diff --git a/tests/sys/sound/Makefile b/tests/sys/sound/Makefile
index 74a0765a0540..ce156ae8c4cf 100644
--- a/tests/sys/sound/Makefile
+++ b/tests/sys/sound/Makefile
@@ -2,6 +2,7 @@ PACKAGE= tests
TESTSDIR= ${TESTSBASE}/sys/sound
+ATF_TESTS_C+= mmap
ATF_TESTS_C+= pcm_read_write
ATF_TESTS_C+= sndstat
diff --git a/tests/sys/sound/mmap.c b/tests/sys/sound/mmap.c
new file mode 100644
index 000000000000..ab203a39194c
--- /dev/null
+++ b/tests/sys/sound/mmap.c
@@ -0,0 +1,51 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2026 The FreeBSD Foundation
+ */
+
+#include <sys/mman.h>
+#include <sys/soundcard.h>
+
+#include <atf-c.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#define FMT_ERR(s) s ": %s", strerror(errno)
+
+ATF_TC(mmap_offset_overflow);
+ATF_TC_HEAD(mmap_offset_overflow, tc)
+{
+ atf_tc_set_md_var(tc, "descr", "mmap offset overflow test");
+ atf_tc_set_md_var(tc, "require.kmods", "snd_dummy");
+}
+
+ATF_TC_BODY(mmap_offset_overflow, tc)
+{
+ uint8_t *buf;
+ off_t off;
+ size_t len;
+ int fd;
+
+ fd = open("/dev/dsp0", O_RDWR);
+ ATF_REQUIRE_MSG(fd >= 0, FMT_ERR("open"));
+
+ /* off + len will overflow and wrap back to 0. */
+ off = 0xfffffffffffff000;
+ len = 0x1000;
+
+ buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED, fd, off);
+ ATF_REQUIRE_MSG(buf == MAP_FAILED, FMT_ERR("mmap"));
+
+ munmap(buf, len);
+
+ close(fd);
+}
+
+ATF_TP_ADD_TCS(tp)
+{
+ ATF_TP_ADD_TC(tp, mmap_offset_overflow);
+
+ return (atf_no_error());
+}