Re: [PATCH] ALSA: bebob: potential info leak in hwdep_read()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Thanks for the patch.

On Wed, Oct 07, 2020 at 10:49:28AM +0300, Dan Carpenter wrote:
> The "count" variable needs to be capped on every path so that we don't
> copy too much information to the user.
> 
> Fixes: 618eabeae711 ("ALSA: bebob: Add hwdep interface")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
>  sound/firewire/bebob/bebob_hwdep.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/sound/firewire/bebob/bebob_hwdep.c b/sound/firewire/bebob/bebob_hwdep.c
> index 45b740f44c45..c362eb38ab90 100644
> --- a/sound/firewire/bebob/bebob_hwdep.c
> +++ b/sound/firewire/bebob/bebob_hwdep.c
> @@ -36,12 +36,11 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf,  long count,
>  	}
>  
>  	memset(&event, 0, sizeof(event));
> +	count = min_t(long, count, sizeof(event.lock_status));
>  	if (bebob->dev_lock_changed) {
>  		event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
>  		event.lock_status.status = (bebob->dev_lock_count > 0);
>  		bebob->dev_lock_changed = false;
> -
> -		count = min_t(long, count, sizeof(event.lock_status));
>  	}
>  
>  	spin_unlock_irq(&bebob->lock);
> -- 
> 2.28.0

Indeed, the bug can leak the contents of kernel memory into user space
unintentionally for the size indicated by ALSA HwDep application...

I will check the other drivers in ALSA firewire stack later for safe.


Thanks

Takashi Sakamoto



[Index of Archives]     [ALSA User]     [Linux Audio Users]     [Pulse Audio]     [Kernel Archive]     [Asterisk PBX]     [Photo Sharing]     [Linux Sound]     [Video 4 Linux]     [Gimp]     [Yosemite News]

  Powered by Linux