| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230519093114.28813-17-tiwai@suse.de>
Date: Fri, 19 May 2023 11:30:54 +0200
From: Takashi Iwai <tiwai@...e.de>
To: alsa-devel@...a-project.org
Cc: linux-kernel@...r.kernel.org
Subject: [PATCH 16/36] ALSA: seq: Clear padded bytes at expanding events
There can be a small memory hole that may not be cleared at expanding
an event with the variable length type. Make sure to clear it.
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
sound/core/seq/seq_memory.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index 47ef6bc30c0e..c8d26bce69ff 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -152,12 +152,16 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char
return -EINVAL;
if (copy_from_user(buf, (void __force __user *)event->data.ext.ptr, len))
return -EFAULT;
- return newlen;
+ } else {
+ err = snd_seq_dump_var_event(event,
+ in_kernel ? seq_copy_in_kernel : seq_copy_in_user,
+ &buf);
+ if (err < 0)
+ return err;
}
- err = snd_seq_dump_var_event(event,
- in_kernel ? seq_copy_in_kernel : seq_copy_in_user,
- &buf);
- return err < 0 ? err : newlen;
+ if (len != newlen)
+ memset(buf + len, 0, newlen - len);
+ return newlen;
}
EXPORT_SYMBOL(snd_seq_expand_var_event);
--
2.35.3
Powered by blists - more mailing lists