[PATCH] ASoC: wcd934x: Fix a incorrect use of kstrndup
In wcd934x_codec_enable_dec(), widget_name is allocated by kstrndup(). However, according to doc: "Note: Use kmemdup_nul() instead if the size is known exactly." So we should use kmemdup_nul() here instead of kstrndup(). It's similar to CVE-2019-12454.
Signed-off-by: Miaoqian Lin linmq006@gmail.com --- sound/soc/codecs/wcd934x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index e63c6b723d76..c6677cfbce59 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5005,7 +5005,7 @@ static int wcd934x_codec_enable_dec(struct snd_soc_dapm_widget *w, char *dec; u8 hpf_coff_freq;
- widget_name = kstrndup(w->name, 15, GFP_KERNEL); + widget_name = kmemdup_nul(w->name, 15, GFP_KERNEL); if (!widget_name) return -ENOMEM;
On 12/14/21 4:25 PM, Miaoqian Lin wrote:
In wcd934x_codec_enable_dec(), widget_name is allocated by kstrndup(). However, according to doc: "Note: Use kmemdup_nul() instead if the size is known exactly." So we should use kmemdup_nul() here instead of kstrndup(). It's similar to CVE-2019-12454.
Signed-off-by: Miaoqian Lin linmq006@gmail.com
sound/soc/codecs/wcd934x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index e63c6b723d76..c6677cfbce59 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5005,7 +5005,7 @@ static int wcd934x_codec_enable_dec(struct snd_soc_dapm_widget *w, char *dec; u8 hpf_coff_freq;
- widget_name = kstrndup(w->name, 15, GFP_KERNEL);
- widget_name = kmemdup_nul(w->name, 15, GFP_KERNEL);
I'm wondering if it isn't better to re-structure the code to not allocate any memory.
something like
ret = sscan(w->name, "ADC MUX%d", &decimator); if (ret != 1) ...
On 12/14/21 4:25 PM, Miaoqian Lin wrote:
In wcd934x_codec_enable_dec(), widget_name is allocated by kstrndup(). However, according to doc: "Note: Use kmemdup_nul() instead if the size is known exactly." So we should use kmemdup_nul() here instead of kstrndup(). It's similar to CVE-2019-12454.
Signed-off-by: Miaoqian Lin linmq006@gmail.com
sound/soc/codecs/wcd934x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index e63c6b723d76..c6677cfbce59 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5005,7 +5005,7 @@ static int wcd934x_codec_enable_dec(struct snd_soc_dapm_widget *w, char *dec; u8 hpf_coff_freq;
- widget_name = kstrndup(w->name, 15, GFP_KERNEL);
- widget_name = kmemdup_nul(w->name, 15, GFP_KERNEL);
Thinking a bit more about it, this is wrong. The source string is shorter than 15 character. So with this change you are copying past the end of the string, which depending on where in memory the string is placed can cause undefined behavior.
participants (2)
-
Lars-Peter Clausen
-
Miaoqian Lin