Message ID | 1476362201-58016-1-git-send-email-vlad@tsyrklevich.net (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Thu, 13 Oct 2016 14:36:41 +0200, Vlad Tsyrklevich wrote: > > Some elements in hr are not cleared before being copied to user space, > leaking kernel heap memory to user space. For example, this happens in > the error handling code for the HPI_ADAPTER_DELETE case. Zero the memory > before it's copied. > > Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> Applied, thanks. Takashi > --- > sound/pci/asihpi/hpioctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c > index d17937b..7e3aa50 100644 > --- a/sound/pci/asihpi/hpioctl.c > +++ b/sound/pci/asihpi/hpioctl.c > @@ -111,7 +111,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > return -EINVAL; > > hm = kmalloc(sizeof(*hm), GFP_KERNEL); > - hr = kmalloc(sizeof(*hr), GFP_KERNEL); > + hr = kzalloc(sizeof(*hr), GFP_KERNEL); > if (!hm || !hr) { > err = -ENOMEM; > goto out; > -- > 2.7.0 > > _______________________________________________ > Alsa-devel mailing list > Alsa-devel@alsa-project.org > http://mailman.alsa-project.org/mailman/listinfo/alsa-devel >
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c index d17937b..7e3aa50 100644 --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c @@ -111,7 +111,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) return -EINVAL; hm = kmalloc(sizeof(*hm), GFP_KERNEL); - hr = kmalloc(sizeof(*hr), GFP_KERNEL); + hr = kzalloc(sizeof(*hr), GFP_KERNEL); if (!hm || !hr) { err = -ENOMEM; goto out;
Some elements in hr are not cleared before being copied to user space, leaking kernel heap memory to user space. For example, this happens in the error handling code for the HPI_ADAPTER_DELETE case. Zero the memory before it's copied. Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> --- sound/pci/asihpi/hpioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)