[alsa-devel] CVE-2014-9892 fix is not upstream
Hi!
Digging through some old CVEs I came across this one that doesn't seem be in mainline. Was there a good reason for not being sent upstream? Maybe it was rejected for some reason and I failed to find the discussion.
References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9892 https://source.android.com/security/bulletin/2016-08-01.html https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=591b1f455c3...
Cheers, -- Luís
From: Krishnankutty Kolathappilly kkolat@codeaurora.org
snd_compr_tstamp is initialized using aggregate initialization that does not zero out the padded bytes. Initialize timestamp structure to zero using memset to avoid this.
CRs-Fixed: 568717 Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d Signed-off-by: Krishnankutty Kolathappilly kkolat@codeaurora.org --- sound/core/compress_offload.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 2c498488af6c..84aaa07ca853 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -659,9 +659,10 @@ snd_compr_set_metadata(struct snd_compr_stream *stream, unsigned long arg) static inline int snd_compr_tstamp(struct snd_compr_stream *stream, unsigned long arg) { - struct snd_compr_tstamp tstamp = {0}; + struct snd_compr_tstamp tstamp; int ret;
+ memset(&tstamp, 0, sizeof(tstamp)); ret = snd_compr_update_tstamp(stream, &tstamp); if (ret == 0) ret = copy_to_user((struct snd_compr_tstamp __user *)arg,
On Tue, 23 Aug 2016 15:40:37 +0200, Luis Henriques wrote:
From: Krishnankutty Kolathappilly kkolat@codeaurora.org
snd_compr_tstamp is initialized using aggregate initialization that does not zero out the padded bytes. Initialize timestamp structure to zero using memset to avoid this.
CRs-Fixed: 568717 Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d Signed-off-by: Krishnankutty Kolathappilly kkolat@codeaurora.org
Vinod already informed me about this, and we agreed that it doesn't make any sense. What does it really fix?
thanks,
Takashi
sound/core/compress_offload.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 2c498488af6c..84aaa07ca853 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -659,9 +659,10 @@ snd_compr_set_metadata(struct snd_compr_stream *stream, unsigned long arg) static inline int snd_compr_tstamp(struct snd_compr_stream *stream, unsigned long arg) {
- struct snd_compr_tstamp tstamp = {0};
struct snd_compr_tstamp tstamp; int ret;
memset(&tstamp, 0, sizeof(tstamp)); ret = snd_compr_update_tstamp(stream, &tstamp); if (ret == 0) ret = copy_to_user((struct snd_compr_tstamp __user *)arg,
On Tue, Aug 23, 2016 at 03:45:38PM +0200, Takashi Iwai wrote:
On Tue, 23 Aug 2016 15:40:37 +0200, Luis Henriques wrote:
From: Krishnankutty Kolathappilly kkolat@codeaurora.org
snd_compr_tstamp is initialized using aggregate initialization that does not zero out the padded bytes. Initialize timestamp structure to zero using memset to avoid this.
CRs-Fixed: 568717 Change-Id: I7a7d188705161f06201f1a1f2945bb6acd633d5d Signed-off-by: Krishnankutty Kolathappilly kkolat@codeaurora.org
Vinod already informed me about this, and we agreed that it doesn't make any sense. What does it really fix?
Btw is there a process to make this CVE invalidated?
participants (3)
-
Luis Henriques -
Takashi Iwai -
Vinod Koul