From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Clemens Ladisch <clemens@ladisch.de>
Cc: alsa-devel@alsa-project.org, Mark Brown <broonie@kernel.org>,
kernel-janitors@vger.kernel.org, Takashi Iwai <tiwai@suse.com>
Subject: Re: [PATCH] ALSA: fireface: fix info leak in hwdep_read()
Date: Thu, 21 Jan 2021 20:42:04 +0000 [thread overview]
Message-ID: <3ef5f7f4-efeb-8a92-1886-d92e14211287@wanadoo.fr> (raw)
In-Reply-To: <YAka5xudQNQgRkuC@mwanda>
Hi Dan,
Le 21/01/2021 à 07:10, Dan Carpenter a écrit :
> If "ff->dev_lock_changed" has not changed
According to the "while (!ff->dev_lock_changed) { ... }" just above and
the lock in place, can this ever happen?
In other word, I wonder if the "if (ff->dev_lock_changed)" test makes
sense and if it could be removed.
(same for your other patch against sound/firewire/oxfw/oxfw-hwdep.c)
CJ
> and "count" is too large then
> this will copy data beyond the end of the struct to user space.
>
> Fixes: f656edd5fb33 ("ALSA: fireface: add hwdep interface")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> sound/firewire/fireface/ff-hwdep.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/firewire/fireface/ff-hwdep.c b/sound/firewire/fireface/ff-hwdep.c
> index 4b2e0dff5ddb..b84dde609a03 100644
> --- a/sound/firewire/fireface/ff-hwdep.c
> +++ b/sound/firewire/fireface/ff-hwdep.c
> @@ -35,12 +35,12 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
> }
>
> memset(&event, 0, sizeof(event));
> + count = min_t(long, count, sizeof(event.lock_status));
> if (ff->dev_lock_changed) {
> event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
> event.lock_status.status = (ff->dev_lock_count > 0);
> ff->dev_lock_changed = false;
>
> - count = min_t(long, count, sizeof(event.lock_status));
> }
>
> spin_unlock_irq(&ff->lock);
>
WARNING: multiple messages have this Message-ID (diff)
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Clemens Ladisch <clemens@ladisch.de>
Cc: alsa-devel@alsa-project.org, Mark Brown <broonie@kernel.org>,
kernel-janitors@vger.kernel.org, Takashi Iwai <tiwai@suse.com>
Subject: Re: [PATCH] ALSA: fireface: fix info leak in hwdep_read()
Date: Thu, 21 Jan 2021 21:42:04 +0100 [thread overview]
Message-ID: <3ef5f7f4-efeb-8a92-1886-d92e14211287@wanadoo.fr> (raw)
In-Reply-To: <YAka5xudQNQgRkuC@mwanda>
Hi Dan,
Le 21/01/2021 à 07:10, Dan Carpenter a écrit :
> If "ff->dev_lock_changed" has not changed
According to the "while (!ff->dev_lock_changed) { ... }" just above and
the lock in place, can this ever happen?
In other word, I wonder if the "if (ff->dev_lock_changed)" test makes
sense and if it could be removed.
(same for your other patch against sound/firewire/oxfw/oxfw-hwdep.c)
CJ
> and "count" is too large then
> this will copy data beyond the end of the struct to user space.
>
> Fixes: f656edd5fb33 ("ALSA: fireface: add hwdep interface")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> sound/firewire/fireface/ff-hwdep.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/firewire/fireface/ff-hwdep.c b/sound/firewire/fireface/ff-hwdep.c
> index 4b2e0dff5ddb..b84dde609a03 100644
> --- a/sound/firewire/fireface/ff-hwdep.c
> +++ b/sound/firewire/fireface/ff-hwdep.c
> @@ -35,12 +35,12 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
> }
>
> memset(&event, 0, sizeof(event));
> + count = min_t(long, count, sizeof(event.lock_status));
> if (ff->dev_lock_changed) {
> event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
> event.lock_status.status = (ff->dev_lock_count > 0);
> ff->dev_lock_changed = false;
>
> - count = min_t(long, count, sizeof(event.lock_status));
> }
>
> spin_unlock_irq(&ff->lock);
>
next prev parent reply other threads:[~2021-01-21 20:42 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-21 6:10 [PATCH] ALSA: fireface: fix info leak in hwdep_read() Dan Carpenter
2021-01-21 6:10 ` Dan Carpenter
2021-01-21 20:42 ` Christophe JAILLET [this message]
2021-01-21 20:42 ` Christophe JAILLET
2021-01-22 7:13 ` Dan Carpenter
2021-01-22 7:13 ` Dan Carpenter
2021-01-25 11:12 ` [PATCH v2 1/2] ALSA: oxfw: remove an unnecessary condition " Dan Carpenter
2021-01-25 11:12 ` Dan Carpenter
2021-01-25 13:46 ` Takashi Sakamoto
2021-01-25 13:46 ` Takashi Sakamoto
2021-01-25 13:51 ` Takashi Iwai
2021-01-25 13:51 ` Takashi Iwai
2021-01-25 11:13 ` [PATCH v2 2/2] ALSA: fireface: remove " Dan Carpenter
2021-01-25 11:13 ` Dan Carpenter
2021-01-25 13:45 ` Takashi Sakamoto
2021-01-25 13:45 ` Takashi Sakamoto
2021-01-25 13:51 ` Takashi Iwai
2021-01-25 13:51 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3ef5f7f4-efeb-8a92-1886-d92e14211287@wanadoo.fr \
--to=christophe.jaillet@wanadoo.fr \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=clemens@ladisch.de \
--cc=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.