All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] sound/pci/asihpi: fix kernel memory disclosure
@ 2016-10-13 12:36 Vlad Tsyrklevich
  2016-10-18 12:09 ` Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: Vlad Tsyrklevich @ 2016-10-13 12:36 UTC (permalink / raw)
  To: alsa-devel; +Cc: Vlad Tsyrklevich

Some elements in hr are not cleared before being copied to user space,
leaking kernel heap memory to user space. For example, this happens in
the error handling code for the HPI_ADAPTER_DELETE case. Zero the memory
before it's copied.

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
---
 sound/pci/asihpi/hpioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index d17937b..7e3aa50 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -111,7 +111,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 		return -EINVAL;
 
 	hm = kmalloc(sizeof(*hm), GFP_KERNEL);
-	hr = kmalloc(sizeof(*hr), GFP_KERNEL);
+	hr = kzalloc(sizeof(*hr), GFP_KERNEL);
 	if (!hm || !hr) {
 		err = -ENOMEM;
 		goto out;
-- 
2.7.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] sound/pci/asihpi: fix kernel memory disclosure
  2016-10-13 12:36 [PATCH] sound/pci/asihpi: fix kernel memory disclosure Vlad Tsyrklevich
@ 2016-10-18 12:09 ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2016-10-18 12:09 UTC (permalink / raw)
  To: Vlad Tsyrklevich; +Cc: alsa-devel

On Thu, 13 Oct 2016 14:36:41 +0200,
Vlad Tsyrklevich wrote:
> 
> Some elements in hr are not cleared before being copied to user space,
> leaking kernel heap memory to user space. For example, this happens in
> the error handling code for the HPI_ADAPTER_DELETE case. Zero the memory
> before it's copied.
> 
> Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>

Applied, thanks.


Takashi

> ---
>  sound/pci/asihpi/hpioctl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
> index d17937b..7e3aa50 100644
> --- a/sound/pci/asihpi/hpioctl.c
> +++ b/sound/pci/asihpi/hpioctl.c
> @@ -111,7 +111,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  		return -EINVAL;
>  
>  	hm = kmalloc(sizeof(*hm), GFP_KERNEL);
> -	hr = kmalloc(sizeof(*hr), GFP_KERNEL);
> +	hr = kzalloc(sizeof(*hr), GFP_KERNEL);
>  	if (!hm || !hr) {
>  		err = -ENOMEM;
>  		goto out;
> -- 
> 2.7.0
> 
> _______________________________________________
> Alsa-devel mailing list
> Alsa-devel@alsa-project.org
> http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-10-18 12:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-13 12:36 [PATCH] sound/pci/asihpi: fix kernel memory disclosure Vlad Tsyrklevich
2016-10-18 12:09 ` Takashi Iwai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.