diff options
author | Takashi Iwai <tiwai@suse.de> | 2021-05-17 15:15:38 +0200 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2021-05-17 16:04:10 +0200 |
commit | 4e268db74770b454b877ab5260f1868a457d212c (patch) | |
tree | d739e23399bb1edb4774a6b005ceaab388f33ded /sound/usb/usx2y/usX2Yhwdep.c | |
parent | a829dd5b3840fd9a24608ed73eb21ba239ae5334 (diff) | |
download | linux-4e268db74770b454b877ab5260f1868a457d212c.tar.bz2 |
ALSA: usx2y: Fix potential leaks of uninitialized memory
usx2y drivers may expose the allocated pages via mmap, but it performs
zero-clear only for the struct size, not aligned with the page size.
This leaves out some uninitialized trailing bytes.
This patch fixes the clearance to cover all memory that are exposed to
user-space.
Link: https://lore.kernel.org/r/20210517131545.27252-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/usb/usx2y/usX2Yhwdep.c')
-rw-r--r-- | sound/usb/usx2y/usX2Yhwdep.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c index 2d4e943be2da..0ed50be89271 100644 --- a/sound/usb/usx2y/usX2Yhwdep.c +++ b/sound/usb/usx2y/usX2Yhwdep.c @@ -55,17 +55,17 @@ static int snd_us428ctls_mmap(struct snd_hwdep *hw, struct file *filp, struct vm return -EBUSY; /* if userspace tries to mmap beyond end of our buffer, fail */ - if (size > PAGE_ALIGN(sizeof(struct us428ctls_sharedmem))) { - snd_printd("%lu > %lu\n", size, (unsigned long)sizeof(struct us428ctls_sharedmem)); + if (size > US428_SHAREDMEM_PAGES) { + snd_printd("%lu > %lu\n", size, (unsigned long)US428_SHAREDMEM_PAGES); return -EINVAL; } if (!us428->us428ctls_sharedmem) { init_waitqueue_head(&us428->us428ctls_wait_queue_head); - us428->us428ctls_sharedmem = alloc_pages_exact(sizeof(struct us428ctls_sharedmem), GFP_KERNEL); + us428->us428ctls_sharedmem = alloc_pages_exact(US428_SHAREDMEM_PAGES, GFP_KERNEL); if (!us428->us428ctls_sharedmem) return -ENOMEM; - memset(us428->us428ctls_sharedmem, -1, sizeof(struct us428ctls_sharedmem)); + memset(us428->us428ctls_sharedmem, -1, US428_SHAREDMEM_PAGES); us428->us428ctls_sharedmem->ctl_snapshot_last = -2; } area->vm_ops = &us428ctls_vm_ops; |