Bug 13587

Summary: Voxware MIXER_READ ioctl corrupts memory
Product: Base System Reporter: Randall Hopper <aa8vb>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: aa8vb
Priority: Normal    
Version: 3.2-RELEASE   
Hardware: Any   
OS: Any   

Description Randall Hopper 1999-09-06 01:50:01 UTC 
        int stomp_me = 0x12345678;
        unsigned char  vol[2];

        ioctl( mixer_fd, MIXER_READ( SOUND_MIXER_LINE ), vol )

        The ioctl overwrites the lower two bytes of 'stomp_me'.  This is
        how Linux apps like xmix declare vol, so apparently this is a bug
        in our Voxware drivers.  xmix may be saved from memory corruption
        only by the structure alignment policy of FreeBSD.

How-To-Repeat: 
        The output of the following program is:

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <machine/soundcard.h>
#include <assert.h>

int main( int argc, char *argv[] )
{
  int mixer_fd, ret, ctrls;
  int stomp_me = 0x12345678;
  unsigned char  vol[2];

  mixer_fd = open( "/dev/mixer0", O_RDWR, 0 );
  assert( mixer_fd >= 0 );

  ret = ioctl( mixer_fd, SOUND_MIXER_READ_DEVMASK, &ctrls );
  assert( ret >= 0 );

  assert( ctrls & SOUND_MASK_LINE );

  ret = ioctl( mixer_fd, MIXER_READ( SOUND_MIXER_LINE ), vol );
  assert( ret >= 0 );

  printf( "Volume is %d,%d\n", vol[0], vol[1] );

  if ( stomp_me != 0x12345678 ) {
    fprintf( stderr, "\n\nWhooah!  Sound ioctl() stomped memory!\n"
                     "Value was 0x12345678, now it's 0x%.8x\n",
             stomp_me );
    exit(1);
  }

  close( mixer_fd );

  return 0;
}
Comment 1 Søren Schmidt freebsd_committer freebsd_triage 2001-05-30 10:12:43 UTC 
State Changed
From-To: open->closed

We have a new sound subsystem.