From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3A32C4363D for ; Wed, 7 Oct 2020 13:05:47 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 698BC20789 for ; Wed, 7 Oct 2020 13:05:44 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=alsa-project.org header.i=@alsa-project.org header.b="TCeze50V"; dkim=temperror (0-bit key) header.d=sakamocchi.jp header.i=@sakamocchi.jp header.b="a65ArENd"; dkim=temperror (0-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="nKBGInhj" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 698BC20789 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=sakamocchi.jp Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=alsa-devel-bounces@alsa-project.org Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 103A416BA; Wed, 7 Oct 2020 15:04:53 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 103A416BA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1602075943; bh=tMNF6j/gbE++1XGaq2cLZBHNcmVRelETKDv8v1wucjY=; h=Date:From:To:Subject:References:In-Reply-To:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=TCeze50VvfYm1ApEvXMZs3BDbH43HBFl8YrdC2Gq6msKuZb/aHfEhZxgCFJum6vKh rk/eu0eU21zW3gKcNSfPgymaJl5etORk/qGKKUIQGcWA7Xo94A7KGV8IiH+TK4w8xI 2fGAL6BQ9rHH4OYyi6bDEH7+c/qav8pAeIK2qpZE= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id 74DC5F80127; Wed, 7 Oct 2020 15:04:52 +0200 (CEST) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 04E88F80128; Wed, 7 Oct 2020 15:04:50 +0200 (CEST) Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id 61278F80087 for ; Wed, 7 Oct 2020 15:04:45 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 61278F80087 Authentication-Results: alsa1.perex.cz; dkim=pass (2048-bit key) header.d=sakamocchi.jp header.i=@sakamocchi.jp header.b="a65ArENd"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="nKBGInhj" Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id C288DA5C; Wed, 7 Oct 2020 09:04:42 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 07 Oct 2020 09:04:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakamocchi.jp; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm2; bh=n7glPiflw/igCEGVay4K6mUqzzn H9kxtNvx6OHbU5es=; b=a65ArENdy/CeOlw4UvlRqGVqCCZVhVlAMKSGJcVZ8M+ wrkSLeFL+urha0w7KbKand/fZgZA72tosRFJEmF+1CzntW29gKzYJrkpg5/OvFYp vb3KqMZ9DwFxKBhoOhf13sqTbJiYZyUVLYYGQhCdBPU0LMcKGr5EkixnK/LpDb8h YCHWyvQP+MshMNCJKDuoW8C55+1TlxwJN9F7kfKnGP7uZ7n2wDgl+hdhwhUe576L 7ieBmyc4CoSoIanH5X7NWStTpcP9Wm7g+LZY9zplafCGbQxJO1PN+f8Wg7ulQRmE RmlFH1JqYj7gEZxa9HnSo1OI6Wi3iqnhIE4tZ647qkg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=n7glPi flw/igCEGVay4K6mUqzznH9kxtNvx6OHbU5es=; b=nKBGInhjO4W2bnuKy9JkTL v7RGXrV3W+5QFkiysyCV6uPI3lXBWQ9oCZHUvOA4Qg3+J4Q2TWt6qeKlxewrqyP+ N79X2DBKXfFttrp+Ux/wbfv580ksZlr8DRVK7s8bswf0nuPL/5UtnnCp6I6a9Pmt BsVezJf3O703mH5wQ2px7fGHEZyx0BeB4eixRzTsKWmidvPFbYtenHVXddWaXXia GehE6S7Im3m+EIGu+MZ2CyofLYcO4ByLuj2bKPHze1j79hfWk6+QGO3QkojNRwwk AX69rYjnQUAPqYrODiibTx6v8Okm4sdbCIazkruISRlYzBCg+S+LyqohrdwiXJiA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrgeeigdeiudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepvfgrkhgrshhh ihcuufgrkhgrmhhothhouceoohdqthgrkhgrshhhihesshgrkhgrmhhotggthhhirdhjph eqnecuggftrfgrthhtvghrnheplefhueegvdejgfejgfdukeefudetvddtuddtueeivedt tdegteejkedvfeegfefhnecukfhppedugedrfedrieegrddvtdejnecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepohdqthgrkhgrshhhihesshgr khgrmhhotggthhhirdhjph X-ME-Proxy: Received: from workstation (ae064207.dynamic.ppp.asahi-net.or.jp [14.3.64.207]) by mail.messagingengine.com (Postfix) with ESMTPA id DC0BB3280067; Wed, 7 Oct 2020 09:04:39 -0400 (EDT) Date: Wed, 7 Oct 2020 22:04:37 +0900 From: Takashi Sakamoto To: Dan Carpenter Subject: Re: [PATCH] ALSA: bebob: potential info leak in hwdep_read() Message-ID: <20201007130437.GA73459@workstation> Mail-Followup-To: Dan Carpenter , Clemens Ladisch , Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org References: <20201007074928.GA2529578@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201007074928.GA2529578@mwanda> Cc: kernel-janitors@vger.kernel.org, alsa-devel@alsa-project.org, Clemens Ladisch , Takashi Iwai X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" Hi, Thanks for the patch. On Wed, Oct 07, 2020 at 10:49:28AM +0300, Dan Carpenter wrote: > The "count" variable needs to be capped on every path so that we don't > copy too much information to the user. > > Fixes: 618eabeae711 ("ALSA: bebob: Add hwdep interface") > Signed-off-by: Dan Carpenter > --- > sound/firewire/bebob/bebob_hwdep.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/sound/firewire/bebob/bebob_hwdep.c b/sound/firewire/bebob/bebob_hwdep.c > index 45b740f44c45..c362eb38ab90 100644 > --- a/sound/firewire/bebob/bebob_hwdep.c > +++ b/sound/firewire/bebob/bebob_hwdep.c > @@ -36,12 +36,11 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, > } > > memset(&event, 0, sizeof(event)); > + count = min_t(long, count, sizeof(event.lock_status)); > if (bebob->dev_lock_changed) { > event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS; > event.lock_status.status = (bebob->dev_lock_count > 0); > bebob->dev_lock_changed = false; > - > - count = min_t(long, count, sizeof(event.lock_status)); > } > > spin_unlock_irq(&bebob->lock); > -- > 2.28.0 Indeed, the bug can leak the contents of kernel memory into user space unintentionally for the size indicated by ALSA HwDep application... I will check the other drivers in ALSA firewire stack later for safe. Thanks Takashi Sakamoto