From patchwork Thu Apr  4 21:33:55 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Zubin Mithra <zsm@chromium.org>
X-Patchwork-Id: 10887401
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 10A121575
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Fri,  5 Apr 2019 13:48:20 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E964120415
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Fri,  5 Apr 2019 13:48:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DD7BE27DCD; Fri,  5 Apr 2019 13:48:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id E6DB720415
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Fri,  5 Apr 2019 13:48:18 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by alsa0.perex.cz (Postfix) with ESMTPS id 342B21648;
	Fri,  5 Apr 2019 15:47:27 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 342B21648
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
	s=default; t=1554472097;
	bh=m2kOgjXzvlg+Q8bZ7KoLPoiYJTNdWCKZj55FmgbePrg=;
	h=From:To:Date:Cc:Subject:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe:From;
	b=KKOvGnMD9UCjjgaXeAdjAQgKCs2rWmyn2f79jZ7uEDPDkx6ouQYyizxn5KSiAK5mL
	 GpY/JiDhz326tDTBWSR2h8oWwfe319f2pm/87ZNUhx9P8rEE0+q/dFifk9tuZfMvL1
	 +olYyWxf6FtJuaib56KkLR8Xnu3Pe1T8FqD0Q2fo=
Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1])
	by alsa1.perex.cz (Postfix) with ESMTP id 17154F8971B;
	Fri,  5 Apr 2019 15:45:48 +0200 (CEST)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id 50509F89633; Thu,  4 Apr 2019 23:34:13 +0200 (CEST)
Received: from mail-pl1-x641.google.com (mail-pl1-x641.google.com
 [IPv6:2607:f8b0:4864:20::641])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id EC518F8075B
 for <alsa-devel@alsa-project.org>; Thu,  4 Apr 2019 23:34:09 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz EC518F8075B
Authentication-Results: alsa1.perex.cz;
 dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="m0lWeAsC"
Received: by mail-pl1-x641.google.com with SMTP id d1so1809124plj.8
 for <alsa-devel@alsa-project.org>; Thu, 04 Apr 2019 14:34:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
 s=google;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=lUwrnQdGsLMvi3vLBVNO+cEwIjOIRtETxdqafmlPTks=;
 b=m0lWeAsCatvBC5ZeKFD2OjbmkWyM4flkKxAUcBbnnC+7PAtsQuXeOxEggYGVlQOfPA
 UK568nD2MgnRvqSPW/sUqt49vKN1Mqo22/nAl8uk1/L+B02q2aJFDVf/icctLYEM/Nmx
 6vRt0BSsr1MT/zl/nqeydWyHxHWMGmmtrZh6Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=lUwrnQdGsLMvi3vLBVNO+cEwIjOIRtETxdqafmlPTks=;
 b=GVyfDNedA8FWEGKP7Lr7ds3XbkyWznVr9OKLVrJLs1NIWIDoa0TapMea8xLGh0Mydx
 1p+NwLr+0VbQEa48S+ihc8FwplH2HQFSaVUNMMh03wxnhxqB08cNWBUqU9tBEGo59/gR
 K6PoGtOTLUH7w7xq2ixWRr+bI3PBEMaUBHS7mwV6Vro5+I+Yfd/o9bSOHYMfRpOF6G38
 XCaboCsr8eujN6fXltukoQ3tLJ/xmHQlUm1OF4iwannxVV4Le1703HnP77BvAWopmIfz
 ROzUGrlgxiaCzt7LjLzblPXMEkyE64CL9cN2opbDlleckVKJjKWmDN0yXS0+1Zix2GQF
 Gt+g==
X-Gm-Message-State: APjAAAUEFiT4e6UtIvaYVzrVA2QeUtBccKRxv5cUPd8W6BAvIMnPGD/Z
 DugLjGeJRo5PsxzNKwiKN7y9leKYcT0=
X-Google-Smtp-Source: 
 APXvYqzcz5yA+Gcv3HGeDDJZqm4UHRFBDcyRuLa2lFN0fklGWAz/UygNdIFLWZneqLklML7BPF61pg==
X-Received: by 2002:a17:902:2d01:: with SMTP id
 o1mr8905567plb.155.1554413646003;
 Thu, 04 Apr 2019 14:34:06 -0700 (PDT)
Received: from zsm-linux.mtv.corp.google.com
 ([2620:15c:202:201:49ea:b78f:4f04:4d25])
 by smtp.googlemail.com with ESMTPSA id m8sm6264882pgn.59.2019.04.04.14.34.04
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 04 Apr 2019 14:34:05 -0700 (PDT)
From: Zubin Mithra <zsm@chromium.org>
To: alsa-devel@alsa-project.org
Date: Thu,  4 Apr 2019 14:33:55 -0700
Message-Id: <20190404213355.76452-1-zsm@chromium.org>
X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog
MIME-Version: 1.0
X-Mailman-Approved-At: Fri, 05 Apr 2019 15:45:41 +0200
Cc: groeck@chromium.org, tiwai@suse.com, Zubin Mithra <zsm@chromium.org>
Subject: [alsa-devel] [PATCH] ALSA: seq: Fix OOB-reads from strlcpy
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <https://mailman.alsa-project.org/mailman/options/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: 
 <https://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>
X-Virus-Scanned: ClamAV using ClamSMTP

When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.

Signed-off-by: Zubin Mithra <zsm@chromium.org>
---
 sound/core/seq/seq_clientmgr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 7d4640d1fe9fb..38e7deab63847 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1252,7 +1252,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client,
 
 	/* fill the info fields */
 	if (client_info->name[0])
-		strlcpy(client->name, client_info->name, sizeof(client->name));
+		strscpy(client->name, client_info->name, sizeof(client->name));
 
 	client->filter = client_info->filter;
 	client->event_lost = client_info->event_lost;
@@ -1530,7 +1530,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client, void *arg)
 	/* set queue name */
 	if (!info->name[0])
 		snprintf(info->name, sizeof(info->name), "Queue-%d", q->queue);
-	strlcpy(q->name, info->name, sizeof(q->name));
+	strscpy(q->name, info->name, sizeof(q->name));
 	snd_use_lock_free(&q->use_lock);
 
 	return 0;
@@ -1592,7 +1592,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client,
 		queuefree(q);
 		return -EPERM;
 	}
-	strlcpy(q->name, info->name, sizeof(q->name));
+	strscpy(q->name, info->name, sizeof(q->name));
 	queuefree(q);
 
 	return 0;