* [PATCH] sound/pci/rme9652: prevent reading uninitialized stack memory
@ 2010-09-25 15:07 Dan Rosenberg
2010-09-25 15:52 ` Takashi Iwai
0 siblings, 1 reply; 3+ messages in thread
From: Dan Rosenberg @ 2010-09-25 15:07 UTC (permalink / raw)
To: perex, tiwai; +Cc: alsa-devel, linux-kernel, security, stable
The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
unprivileged users to read uninitialized kernel stack memory, because
several fields of the hdsp{m}_config_info structs declared on the stack
are not altered or zeroed before being copied back to the user. This
patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
diff -urp linux-2.6.35.5.orig/sound/pci/rme9652/hdsp.c linux-2.6.35.5/sound/pci/rme9652/hdsp.c
--- linux-2.6.35.5.orig/sound/pci/rme9652/hdsp.c 2010-09-20 16:59:09.000000000 -0400
+++ linux-2.6.35.5/sound/pci/rme9652/hdsp.c 2010-09-25 10:59:42.000000000 -0400
@@ -4601,6 +4601,8 @@ static int snd_hdsp_hwdep_ioctl(struct s
unsigned long flags;
int i;
+ memset(&info, 0, sizeof(info));
+
err = hdsp_check_for_iobox(hdsp);
if (err < 0)
return err;
diff -urp linux-2.6.35.5.orig/sound/pci/rme9652/hdspm.c linux-2.6.35.5/sound/pci/rme9652/hdspm.c
--- linux-2.6.35.5.orig/sound/pci/rme9652/hdspm.c 2010-09-20 16:59:09.000000000 -0400
+++ linux-2.6.35.5/sound/pci/rme9652/hdspm.c 2010-09-25 10:58:44.000000000 -0400
@@ -4128,6 +4128,9 @@ static int snd_hdspm_hwdep_ioctl(struct
case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
spin_lock_irq(&hdspm->lock);
+
+ memset(&info, 0, sizeof(info));
+
info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] sound/pci/rme9652: prevent reading uninitialized stack memory
2010-09-25 15:07 [PATCH] sound/pci/rme9652: prevent reading uninitialized stack memory Dan Rosenberg
@ 2010-09-25 15:52 ` Takashi Iwai
0 siblings, 0 replies; 3+ messages in thread
From: Takashi Iwai @ 2010-09-25 15:52 UTC (permalink / raw)
To: Dan Rosenberg; +Cc: security, alsa-devel, linux-kernel, stable
At Sat, 25 Sep 2010 11:07:27 -0400,
Dan Rosenberg wrote:
>
> The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
> SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
> unprivileged users to read uninitialized kernel stack memory, because
> several fields of the hdsp{m}_config_info structs declared on the stack
> are not altered or zeroed before being copied back to the user. This
> patch takes care of it.
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Thanks, applied now with minor optimization (memset outside
spinlock).
Takashi
> diff -urp linux-2.6.35.5.orig/sound/pci/rme9652/hdsp.c linux-2.6.35.5/sound/pci/rme9652/hdsp.c
> --- linux-2.6.35.5.orig/sound/pci/rme9652/hdsp.c 2010-09-20 16:59:09.000000000 -0400
> +++ linux-2.6.35.5/sound/pci/rme9652/hdsp.c 2010-09-25 10:59:42.000000000 -0400
> @@ -4601,6 +4601,8 @@ static int snd_hdsp_hwdep_ioctl(struct s
> unsigned long flags;
> int i;
>
> + memset(&info, 0, sizeof(info));
> +
> err = hdsp_check_for_iobox(hdsp);
> if (err < 0)
> return err;
> diff -urp linux-2.6.35.5.orig/sound/pci/rme9652/hdspm.c linux-2.6.35.5/sound/pci/rme9652/hdspm.c
> --- linux-2.6.35.5.orig/sound/pci/rme9652/hdspm.c 2010-09-20 16:59:09.000000000 -0400
> +++ linux-2.6.35.5/sound/pci/rme9652/hdspm.c 2010-09-25 10:58:44.000000000 -0400
> @@ -4128,6 +4128,9 @@ static int snd_hdspm_hwdep_ioctl(struct
> case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
>
> spin_lock_irq(&hdspm->lock);
> +
> + memset(&info, 0, sizeof(info));
> +
> info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
> info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] sound/pci/rme9652: prevent reading uninitialized stack memory
@ 2010-09-25 15:52 ` Takashi Iwai
0 siblings, 0 replies; 3+ messages in thread
From: Takashi Iwai @ 2010-09-25 15:52 UTC (permalink / raw)
To: Dan Rosenberg; +Cc: perex, alsa-devel, linux-kernel, security, stable
At Sat, 25 Sep 2010 11:07:27 -0400,
Dan Rosenberg wrote:
>
> The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
> SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
> unprivileged users to read uninitialized kernel stack memory, because
> several fields of the hdsp{m}_config_info structs declared on the stack
> are not altered or zeroed before being copied back to the user. This
> patch takes care of it.
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Thanks, applied now with minor optimization (memset outside
spinlock).
Takashi
> diff -urp linux-2.6.35.5.orig/sound/pci/rme9652/hdsp.c linux-2.6.35.5/sound/pci/rme9652/hdsp.c
> --- linux-2.6.35.5.orig/sound/pci/rme9652/hdsp.c 2010-09-20 16:59:09.000000000 -0400
> +++ linux-2.6.35.5/sound/pci/rme9652/hdsp.c 2010-09-25 10:59:42.000000000 -0400
> @@ -4601,6 +4601,8 @@ static int snd_hdsp_hwdep_ioctl(struct s
> unsigned long flags;
> int i;
>
> + memset(&info, 0, sizeof(info));
> +
> err = hdsp_check_for_iobox(hdsp);
> if (err < 0)
> return err;
> diff -urp linux-2.6.35.5.orig/sound/pci/rme9652/hdspm.c linux-2.6.35.5/sound/pci/rme9652/hdspm.c
> --- linux-2.6.35.5.orig/sound/pci/rme9652/hdspm.c 2010-09-20 16:59:09.000000000 -0400
> +++ linux-2.6.35.5/sound/pci/rme9652/hdspm.c 2010-09-25 10:58:44.000000000 -0400
> @@ -4128,6 +4128,9 @@ static int snd_hdspm_hwdep_ioctl(struct
> case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
>
> spin_lock_irq(&hdspm->lock);
> +
> + memset(&info, 0, sizeof(info));
> +
> info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
> info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-09-25 15:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-25 15:07 [PATCH] sound/pci/rme9652: prevent reading uninitialized stack memory Dan Rosenberg
2010-09-25 15:52 ` Takashi Iwai
2010-09-25 15:52 ` Takashi Iwai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.