Structure msm_audio_stats is copied to userland with some fields unitialized.
It leads to leaking of contents of kernel stack memory.
Also struct msm_audio_config has field "unused" of type array of 3 elements,
not 4. Instead of this, initialize field "type".
Signed-off-by: Vasiliy Kulikov <segooon@xxxxxxxxx>
---
drivers/staging/dream/qdsp5/audio_aac.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/staging/dream/qdsp5/audio_aac.c b/drivers/staging/dream/qdsp5/audio_aac.c
index 45f4c78..b058c24 100644
--- a/drivers/staging/dream/qdsp5/audio_aac.c
+++ b/drivers/staging/dream/qdsp5/audio_aac.c
@@ -589,6 +589,7 @@ static long audio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
if (cmd == AUDIO_GET_STATS) {
struct msm_audio_stats stats;
+ memset(&stats, 0, sizeof(stats));
stats.byte_count = audpp_avsync_byte_count(audio->dec_id);
stats.sample_count = audpp_avsync_sample_count(audio->dec_id);
if (copy_to_user((void *)arg, &stats, sizeof(stats)))
@@ -664,10 +665,10 @@ static long audio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
} else {
config.channel_count = 2;
}
+ config.type = 0;
config.unused[0] = 0;
config.unused[1] = 0;
config.unused[2] = 0;
- config.unused[3] = 0;
if (copy_to_user((void *)arg, &config,
sizeof(config)))
rc = -EFAULT;
--
1.7.0.4
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
