diff options
| author | Takashi Iwai <tiwai@suse.de> | 2021-05-17 16:15:38 +0300 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2021-05-17 17:04:10 +0300 |
| commit | 4e268db74770b454b877ab5260f1868a457d212c (patch) | |
| tree | d739e23399bb1edb4774a6b005ceaab388f33ded /sound/usb/usx2y/usx2yhwdeppcm.c | |
| parent | a829dd5b3840fd9a24608ed73eb21ba239ae5334 (diff) | |
| download | linux-4e268db74770b454b877ab5260f1868a457d212c.tar.xz | |
ALSA: usx2y: Fix potential leaks of uninitialized memory
usx2y drivers may expose the allocated pages via mmap, but it performs
zero-clear only for the struct size, not aligned with the page size.
This leaves out some uninitialized trailing bytes.
This patch fixes the clearance to cover all memory that are exposed to
user-space.
Link: https://lore.kernel.org/r/20210517131545.27252-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/usb/usx2y/usx2yhwdeppcm.c')
| -rw-r--r-- | sound/usb/usx2y/usx2yhwdeppcm.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/sound/usb/usx2y/usx2yhwdeppcm.c b/sound/usb/usx2y/usx2yhwdeppcm.c index 9219341d71c7..b988a4870de4 100644 --- a/sound/usb/usx2y/usx2yhwdeppcm.c +++ b/sound/usb/usx2y/usx2yhwdeppcm.c @@ -485,6 +485,9 @@ static int usx2y_usbpcm_urbs_start(struct snd_usx2y_substream *subs) return err; } +#define USX2Y_HWDEP_PCM_PAGES \ + PAGE_ALIGN(sizeof(struct snd_usx2y_hwdep_pcm_shm)) + /* * prepare callback * @@ -501,11 +504,11 @@ static int snd_usx2y_usbpcm_prepare(struct snd_pcm_substream *substream) snd_printdd("snd_usx2y_pcm_prepare(%p)\n", substream); if (!usx2y->hwdep_pcm_shm) { - usx2y->hwdep_pcm_shm = alloc_pages_exact(sizeof(struct snd_usx2y_hwdep_pcm_shm), + usx2y->hwdep_pcm_shm = alloc_pages_exact(USX2Y_HWDEP_PCM_PAGES, GFP_KERNEL); if (!usx2y->hwdep_pcm_shm) return -ENOMEM; - memset(usx2y->hwdep_pcm_shm, 0, sizeof(struct snd_usx2y_hwdep_pcm_shm)); + memset(usx2y->hwdep_pcm_shm, 0, USX2Y_HWDEP_PCM_PAGES); } mutex_lock(&usx2y->pcm_mutex); @@ -692,8 +695,8 @@ static int snd_usx2y_hwdep_pcm_mmap(struct snd_hwdep *hw, struct file *filp, str return -EBUSY; /* if userspace tries to mmap beyond end of our buffer, fail */ - if (size > PAGE_ALIGN(sizeof(struct snd_usx2y_hwdep_pcm_shm))) { - snd_printd("%lu > %lu\n", size, (unsigned long)sizeof(struct snd_usx2y_hwdep_pcm_shm)); + if (size > USX2Y_HWDEP_PCM_PAGES) { + snd_printd("%lu > %lu\n", size, (unsigned long)USX2Y_HWDEP_PCM_PAGES); return -EINVAL; } @@ -711,7 +714,7 @@ static void snd_usx2y_hwdep_pcm_private_free(struct snd_hwdep *hwdep) struct usx2ydev *usx2y = hwdep->private_data; if (usx2y->hwdep_pcm_shm) - free_pages_exact(usx2y->hwdep_pcm_shm, sizeof(struct snd_usx2y_hwdep_pcm_shm)); + free_pages_exact(usx2y->hwdep_pcm_shm, USX2Y_HWDEP_PCM_PAGES); } int usx2y_hwdep_pcm_new(struct snd_card *card) |