sound/pci/asihpi: fix kernel memory disclosure

Message ID	1476362201-58016-1-git-send-email-vlad@tsyrklevich.net (mailing list archive)
State	New, archived
Headers	show Return-Path: <alsa-devel-bounces@alsa-project.org> From: Vlad Tsyrklevich <vlad@tsyrklevich.net> To: alsa-devel@alsa-project.org Date: Thu, 13 Oct 2016 14:36:41 +0200 Message-Id: <1476362201-58016-1-git-send-email-vlad@tsyrklevich.net> Cc: Vlad Tsyrklevich <vlad@tsyrklevich.net> Subject: [alsa-devel] [PATCH] sound/pci/asihpi: fix kernel memory disclosure Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org

Message ID

1476362201-58016-1-git-send-email-vlad@tsyrklevich.net (mailing list archive)

State

New, archived

Headers

From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
To: alsa-devel@alsa-project.org
Date: Thu, 13 Oct 2016 14:36:41 +0200
Message-Id: <1476362201-58016-1-git-send-email-vlad@tsyrklevich.net>
Cc: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Subject: [alsa-devel] [PATCH] sound/pci/asihpi: fix kernel memory disclosure
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org

Commit Message

Vlad Tsyrklevich Oct. 13, 2016, 12:36 p.m. UTC

Some elements in hr are not cleared before being copied to user space,
leaking kernel heap memory to user space. For example, this happens in
the error handling code for the HPI_ADAPTER_DELETE case. Zero the memory
before it's copied.

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
---
 sound/pci/asihpi/hpioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Takashi Iwai Oct. 18, 2016, 12:09 p.m. UTC | #1

On Thu, 13 Oct 2016 14:36:41 +0200,
Vlad Tsyrklevich wrote:
> 
> Some elements in hr are not cleared before being copied to user space,
> leaking kernel heap memory to user space. For example, this happens in
> the error handling code for the HPI_ADAPTER_DELETE case. Zero the memory
> before it's copied.
> 
> Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>

Applied, thanks.


Takashi

> ---
>  sound/pci/asihpi/hpioctl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index d17937b..7e3aa50 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -111,7 +111,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  		return -EINVAL;
>  
>  	hm = kmalloc(sizeof(*hm), GFP_KERNEL);
> -	hr = kmalloc(sizeof(*hr), GFP_KERNEL);
> +	hr = kzalloc(sizeof(*hr), GFP_KERNEL);
>  	if (!hm || !hr) {
>  		err = -ENOMEM;
>  		goto out;
> -- 
> 2.7.0
> 
> _______________________________________________
> Alsa-devel mailing list
> Alsa-devel@alsa-project.org
> http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
>

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index d17937b..7e3aa50 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -111,7 +111,7 @@  long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		return -EINVAL;
 
 	hm = kmalloc(sizeof(*hm), GFP_KERNEL);
-	hr = kmalloc(sizeof(*hr), GFP_KERNEL);
+	hr = kzalloc(sizeof(*hr), GFP_KERNEL);
 	if (!hm || !hr) {
 		err = -ENOMEM;
 		goto out;

sound/pci/asihpi: fix kernel memory disclosure

Commit Message

Comments

Patch