diff options
author | Meng Xu <mengxu.gatech@gmail.com> | 2017-09-19 01:21:56 -0400 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2017-09-19 22:03:59 +0200 |
commit | e1af344df4e5c8fe90f4a63235a68d5405afc41b (patch) | |
tree | b230497f54de3a989062c5cb983ef1bed9507074 /init | |
parent | a931b9ce93841a5b66b709ba5a244276e345e63b (diff) | |
download | linux-e1af344df4e5c8fe90f4a63235a68d5405afc41b.tar.bz2 |
ALSA: asihpi: fix a potential double-fetch bug when copying puhm
The hm->h.size is intended to hold the actual size of the hm struct
that is copied from userspace and should always be <= sizeof(*hm).
However, after copy_from_user(hm, puhm, hm->h.size), since userspace
process has full control over the memory region pointed by puhm, it is
possible that the value of hm->h.size is different from what is fetched-in
previously (get_user(hm->h.size, (u16 __user *)puhm)). In other words,
hm->h.size is overriden and the relation between hm->h.size and the hm
struct is broken.
This patch proposes to use a seperate variable, msg_size, to hold
the value of the first fetch and override hm->h.size to msg_size
after the second fetch to maintain the relation.
Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'init')
0 files changed, 0 insertions, 0 deletions