[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1565469607.465476075@decadent.org.uk>
Date: Sat, 10 Aug 2019 21:40:07 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, Denis Kirjanov <kda@...ux-powerpc.org>,
"Takashi Iwai" <tiwai@...e.de>,
"Guenter Roeck" <groeck@...omium.org>,
"Zubin Mithra" <zsm@...omium.org>
Subject: [PATCH 3.16 071/157] ALSA: seq: Fix OOB-reads from strlcpy
3.16.72-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zubin Mithra <zsm@...omium.org>
commit 212ac181c158c09038c474ba68068be49caecebb upstream.
When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.
Signed-off-by: Zubin Mithra <zsm@...omium.org>
Reviewed-by: Guenter Roeck <groeck@...omium.org>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
sound/core/seq/seq_clientmgr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info
/* fill the info fields */
if (client_info.name[0])
- strlcpy(client->name, client_info.name, sizeof(client->name));
+ strscpy(client->name, client_info.name, sizeof(client->name));
client->filter = client_info.filter;
client->event_lost = client_info.event_lost;
@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(st
/* set queue name */
if (! info.name[0])
snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue);
- strlcpy(q->name, info.name, sizeof(q->name));
+ strscpy(q->name, info.name, sizeof(q->name));
queuefree(q);
if (copy_to_user(arg, &info, sizeof(info)))
@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info(
queuefree(q);
return -EPERM;
}
- strlcpy(q->name, info.name, sizeof(q->name));
+ strscpy(q->name, info.name, sizeof(q->name));
queuefree(q);
return 0;
Powered by blists - more mailing lists