[patch 1/2] ALSA: hdspm - potential info leak in

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

* [patch 1/2] ALSA: hdspm - potential info leak in
@ 2011-09-23  6:24 Dan Carpenter
  2011-09-23  6:31 ` [patch 1/2] ALSA: hdspm - potential info leak in snd_hdspm_hwdep_ioctl() Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2011-09-23  6:24 UTC (permalink / raw)
  To: kernel-janitors

Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.

The status struct has a hole in it, and on some paths not all the
members were initialized.

struct hdspm_status {
        unsigned char              card_type;            /*     0     1 */
        /* XXX 3 bytes hole, try to pack */
        enum hdspm_syncsource      autosync_source;      /*     4     4 */
        long long unsigned int     card_clock;           /*     8     8 */

The hdspm_version struct had holes in it as well.

struct hdspm_version {
        unsigned char              card_type;            /*     0     1 */
        char                       cardname[20];         /*     1    20 */
        /* XXX 3 bytes hole, try to pack */
        unsigned int               serial;               /*    24     4 */
        short unsigned int         firmware_rev;         /*    28     2 */
        /* XXX 2 bytes hole, try to pack */
        int                        addons;               /*    32     4 */

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
index 214110d..bf438d1 100644
--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -6227,6 +6227,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
 		break;
 
 	case SNDRV_HDSPM_IOCTL_GET_STATUS:
+		memset(&status, 0, sizeof(status));
+
 		status.card_type = hdspm->io_type;
 
 		status.autosync_source = hdspm_autosync_ref(hdspm);
@@ -6266,6 +6268,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
 		break;
 
 	case SNDRV_HDSPM_IOCTL_GET_VERSION:
+		memset(&hdspm_version, 0, sizeof(hdspm_version));
+
 		hdspm_version.card_type = hdspm->io_type;
 		strncpy(hdspm_version.cardname, hdspm->card_name,
 				sizeof(hdspm_version.cardname));

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [patch 1/2] ALSA: hdspm - potential info leak in snd_hdspm_hwdep_ioctl()
  2011-09-23  6:24 [patch 1/2] ALSA: hdspm - potential info leak in Dan Carpenter
@ 2011-09-23  6:31 ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2011-09-23  6:31 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: alsa-devel, kernel-janitors, Adrian Knoth, Florian Faber,
	Fredrik Lingvall

At Fri, 23 Sep 2011 09:24:21 +0300,
Dan Carpenter wrote:
> 
> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
> 
> The status struct has a hole in it, and on some paths not all the
> members were initialized.
> 
> struct hdspm_status {
>         unsigned char              card_type;            /*     0     1 */
>         /* XXX 3 bytes hole, try to pack */
>         enum hdspm_syncsource      autosync_source;      /*     4     4 */
>         long long unsigned int     card_clock;           /*     8     8 */
> 
> The hdspm_version struct had holes in it as well.
> 
> struct hdspm_version {
>         unsigned char              card_type;            /*     0     1 */
>         char                       cardname[20];         /*     1    20 */
>         /* XXX 3 bytes hole, try to pack */
>         unsigned int               serial;               /*    24     4 */
>         short unsigned int         firmware_rev;         /*    28     2 */
>         /* XXX 2 bytes hole, try to pack */
>         int                        addons;               /*    32     4 */
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied now.  Thanks.


Takashi


> diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
> index 214110d..bf438d1 100644
> --- a/sound/pci/rme9652/hdspm.c
> +++ b/sound/pci/rme9652/hdspm.c
> @@ -6227,6 +6227,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
>  		break;
>  
>  	case SNDRV_HDSPM_IOCTL_GET_STATUS:
> +		memset(&status, 0, sizeof(status));
> +
>  		status.card_type = hdspm->io_type;
>  
>  		status.autosync_source = hdspm_autosync_ref(hdspm);
> @@ -6266,6 +6268,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
>  		break;
>  
>  	case SNDRV_HDSPM_IOCTL_GET_VERSION:
> +		memset(&hdspm_version, 0, sizeof(hdspm_version));
> +
>  		hdspm_version.card_type = hdspm->io_type;
>  		strncpy(hdspm_version.cardname, hdspm->card_name,
>  				sizeof(hdspm_version.cardname));
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-09-23  6:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-23  6:24 [patch 1/2] ALSA: hdspm - potential info leak in Dan Carpenter
2011-09-23  6:31 ` [patch 1/2] ALSA: hdspm - potential info leak in snd_hdspm_hwdep_ioctl() Takashi Iwai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox