| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231102190309.50891-2-pstanner@redhat.com>
Date: Thu, 2 Nov 2023 20:03:10 +0100
From: Philipp Stanner <pstanner@...hat.com>
To: Jaroslav Kysela <perex@...ex.cz>, Takashi Iwai <tiwai@...e.com>
Cc: alsa-devel@...a-project.org, linux-kernel@...r.kernel.org,
Philipp Stanner <pstanner@...hat.com>,
Dave Airlie <airlied@...hat.com>
Subject: [PATCH] sound/isa/wavefront: copy userspace array safely
wavefront_fx.c utilizes memdup_user() to copy a userspace array. This
does not check for an overflow.
Use the new wrapper memdup_array_user() to copy the array more safely.
Suggested-by: Dave Airlie <airlied@...hat.com>
Signed-off-by: Philipp Stanner <pstanner@...hat.com>
---
sound/isa/wavefront/wavefront_fx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/isa/wavefront/wavefront_fx.c b/sound/isa/wavefront/wavefront_fx.c
index 3c21324b2a0e..0273b7dfaf12 100644
--- a/sound/isa/wavefront/wavefront_fx.c
+++ b/sound/isa/wavefront/wavefront_fx.c
@@ -191,9 +191,9 @@ snd_wavefront_fx_ioctl (struct snd_hwdep *sdev, struct file *file,
"> 512 bytes to FX\n");
return -EIO;
}
- page_data = memdup_user((unsigned char __user *)
- r.data[3],
- r.data[2] * sizeof(short));
+ page_data = memdup_array_user((unsigned char __user *)
+ r.data[3],
+ r.data[2], sizeof(short));
if (IS_ERR(page_data))
return PTR_ERR(page_data);
pd = page_data;
--
2.41.0
Powered by blists - more mailing lists