Hi,
Thanks for the patch.
On Wed, Oct 07, 2020 at 10:49:28AM +0300, Dan Carpenter wrote:
The "count" variable needs to be capped on every path so that we don't copy too much information to the user.
Fixes: 618eabeae711 ("ALSA: bebob: Add hwdep interface") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
sound/firewire/bebob/bebob_hwdep.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sound/firewire/bebob/bebob_hwdep.c b/sound/firewire/bebob/bebob_hwdep.c index 45b740f44c45..c362eb38ab90 100644 --- a/sound/firewire/bebob/bebob_hwdep.c +++ b/sound/firewire/bebob/bebob_hwdep.c @@ -36,12 +36,11 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count, }
memset(&event, 0, sizeof(event));
- count = min_t(long, count, sizeof(event.lock_status)); if (bebob->dev_lock_changed) { event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS; event.lock_status.status = (bebob->dev_lock_count > 0); bebob->dev_lock_changed = false;
count = min_t(long, count, sizeof(event.lock_status));}
spin_unlock_irq(&bebob->lock);
-- 2.28.0
Indeed, the bug can leak the contents of kernel memory into user space unintentionally for the size indicated by ALSA HwDep application...
I will check the other drivers in ALSA firewire stack later for safe.
Thanks
Takashi Sakamoto