From: Takashi Iwai <tiwai@suse.de>
To: HyeongJun An <sammiee5311@gmail.com>
Cc: Takashi Iwai <tiwai@suse.com>, Jaroslav Kysela <perex@perex.cz>,
linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()
Date: Wed, 24 Jun 2026 11:03:45 +0200 [thread overview]
Message-ID: <874iiswbri.wl-tiwai@suse.de> (raw)
In-Reply-To: <20260623233841.853326-1-sammiee5311@gmail.com>
On Wed, 24 Jun 2026 01:38:40 +0200,
HyeongJun An wrote:
>
> snd_seq_event_dup() copies an incoming event into a pool cell and, in
> the UMP-enabled build, clears the trailing cell->ump.raw.extra word that
> the memcpy() did not cover. The guard deciding whether to clear it
> compares the copied size against sizeof(cell->event):
>
> memcpy(&cell->ump, event, size);
> if (size < sizeof(cell->event))
> cell->ump.raw.extra = 0;
>
> For a legacy (non-UMP) event, size == sizeof(struct snd_seq_event) ==
> sizeof(cell->event), so the condition is false and the extra word keeps
> stale data. The cell pool is allocated with kvmalloc() (not zeroed) and
> cells are reused via a free list, so that word holds uninitialised heap
> or leftover event data.
>
> When such a cell is delivered to a UMP client (client->midi_version > 0)
> that set SNDRV_SEQ_FILTER_NO_CONVERT -- so the legacy event reaches it
> unconverted -- snd_seq_read() reads it out as the larger struct
> snd_seq_ump_event and copies the stale word to user space, a 4-byte
> kernel heap infoleak to an unprivileged /dev/snd/seq client.
>
> Compare against sizeof(cell->ump) instead, so the trailing word is zeroed
> for every event shorter than the UMP cell.
>
> Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
> Cc: stable@vger.kernel.org
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Applied now. Thanks.
Takashi
prev parent reply other threads:[~2026-06-24 9:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 23:38 [PATCH] ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup() HyeongJun An
2026-06-24 9:03 ` Takashi Iwai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874iiswbri.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=perex@perex.cz \
--cc=sammiee5311@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.