Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.
The status struct has a hole in it, and on some paths not all the
members were initialized.
struct hdspm_status {
unsigned char card_type; /* 0 1 */
/* XXX 3 bytes hole, try to pack */
enum hdspm_syncsource autosync_source; /* 4 4 */
long long unsigned int card_clock; /* 8 8 */
The hdspm_version struct had holes in it as well.
struct hdspm_version {
unsigned char card_type; /* 0 1 */
char cardname[20]; /* 1 20 */
/* XXX 3 bytes hole, try to pack */
unsigned int serial; /* 24 4 */
short unsigned int firmware_rev; /* 28 2 */
/* XXX 2 bytes hole, try to pack */
int addons; /* 32 4 */
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
index 214110d..bf438d1 100644
--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -6227,6 +6227,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
break;
case SNDRV_HDSPM_IOCTL_GET_STATUS:
+ memset(&status, 0, sizeof(status));
+
status.card_type = hdspm->io_type;
status.autosync_source = hdspm_autosync_ref(hdspm);
@@ -6266,6 +6268,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
break;
case SNDRV_HDSPM_IOCTL_GET_VERSION:
+ memset(&hdspm_version, 0, sizeof(hdspm_version));
+
hdspm_version.card_type = hdspm->io_type;
strncpy(hdspm_version.cardname, hdspm->card_name,
sizeof(hdspm_version.cardname));
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
