From 4e268db74770b454b877ab5260f1868a457d212c Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mon, 17 May 2021 15:15:38 +0200 Subject: ALSA: usx2y: Fix potential leaks of uninitialized memory usx2y drivers may expose the allocated pages via mmap, but it performs zero-clear only for the struct size, not aligned with the page size. This leaves out some uninitialized trailing bytes. This patch fixes the clearance to cover all memory that are exposed to user-space. Link: https://lore.kernel.org/r/20210517131545.27252-5-tiwai@suse.de Signed-off-by: Takashi Iwai --- sound/usb/usx2y/usX2Yhwdep.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'sound/usb/usx2y/usX2Yhwdep.c') diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c index 2d4e943be2da..0ed50be89271 100644 --- a/sound/usb/usx2y/usX2Yhwdep.c +++ b/sound/usb/usx2y/usX2Yhwdep.c @@ -55,17 +55,17 @@ static int snd_us428ctls_mmap(struct snd_hwdep *hw, struct file *filp, struct vm return -EBUSY; /* if userspace tries to mmap beyond end of our buffer, fail */ - if (size > PAGE_ALIGN(sizeof(struct us428ctls_sharedmem))) { - snd_printd("%lu > %lu\n", size, (unsigned long)sizeof(struct us428ctls_sharedmem)); + if (size > US428_SHAREDMEM_PAGES) { + snd_printd("%lu > %lu\n", size, (unsigned long)US428_SHAREDMEM_PAGES); return -EINVAL; } if (!us428->us428ctls_sharedmem) { init_waitqueue_head(&us428->us428ctls_wait_queue_head); - us428->us428ctls_sharedmem = alloc_pages_exact(sizeof(struct us428ctls_sharedmem), GFP_KERNEL); + us428->us428ctls_sharedmem = alloc_pages_exact(US428_SHAREDMEM_PAGES, GFP_KERNEL); if (!us428->us428ctls_sharedmem) return -ENOMEM; - memset(us428->us428ctls_sharedmem, -1, sizeof(struct us428ctls_sharedmem)); + memset(us428->us428ctls_sharedmem, -1, US428_SHAREDMEM_PAGES); us428->us428ctls_sharedmem->ctl_snapshot_last = -2; } area->vm_ops = &us428ctls_vm_ops; -- cgit v1.2.3