[PATCH] ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()

[PATCH] ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()

[HyeongJun An]

snd_seq_event_dup() copies an incoming event into a pool cell and, in
the UMP-enabled build, clears the trailing cell->ump.raw.extra word that
the memcpy() did not cover.  The guard deciding whether to clear it
compares the copied size against sizeof(cell->event):

	memcpy(&cell->ump, event, size);
	if (size < sizeof(cell->event))
		cell->ump.raw.extra = 0;

For a legacy (non-UMP) event, size == sizeof(struct snd_seq_event) ==
sizeof(cell->event), so the condition is false and the extra word keeps
stale data.  The cell pool is allocated with kvmalloc() (not zeroed) and
cells are reused via a free list, so that word holds uninitialised heap
or leftover event data.

When such a cell is delivered to a UMP client (client->midi_version > 0)
that set SNDRV_SEQ_FILTER_NO_CONVERT -- so the legacy event reaches it
unconverted -- snd_seq_read() reads it out as the larger struct
snd_seq_ump_event and copies the stale word to user space, a 4-byte
kernel heap infoleak to an unprivileged /dev/snd/seq client.

Compare against sizeof(cell->ump) instead, so the trailing word is zeroed
for every event shorter than the UMP cell.

Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
 sound/core/seq/seq_memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index ca9f6db0022c..209b08c2a940 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -364,7 +364,7 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
 	size = snd_seq_event_packet_size(event);
 	memcpy(&cell->ump, event, size);
 #if IS_ENABLED(CONFIG_SND_SEQ_UMP)
-	if (size < sizeof(cell->event))
+	if (size < sizeof(cell->ump))
 		cell->ump.raw.extra = 0;
 #endif
 
-- 
2.43.0

Re: [PATCH] ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()

[Takashi Iwai]

On Wed, 24 Jun 2026 01:38:40 +0200,
HyeongJun An wrote:
> 
> snd_seq_event_dup() copies an incoming event into a pool cell and, in
> the UMP-enabled build, clears the trailing cell->ump.raw.extra word that
> the memcpy() did not cover.  The guard deciding whether to clear it
> compares the copied size against sizeof(cell->event):
> 
> 	memcpy(&cell->ump, event, size);
> 	if (size < sizeof(cell->event))
> 		cell->ump.raw.extra = 0;
> 
> For a legacy (non-UMP) event, size == sizeof(struct snd_seq_event) ==
> sizeof(cell->event), so the condition is false and the extra word keeps
> stale data.  The cell pool is allocated with kvmalloc() (not zeroed) and
> cells are reused via a free list, so that word holds uninitialised heap
> or leftover event data.
> 
> When such a cell is delivered to a UMP client (client->midi_version > 0)
> that set SNDRV_SEQ_FILTER_NO_CONVERT -- so the legacy event reaches it
> unconverted -- snd_seq_read() reads it out as the larger struct
> snd_seq_ump_event and copies the stale word to user space, a 4-byte
> kernel heap infoleak to an unprivileged /dev/snd/seq client.
> 
> Compare against sizeof(cell->ump) instead, so the trailing word is zeroed
> for every event shorter than the UMP cell.
> 
> Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
> Cc: stable@vger.kernel.org
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: HyeongJun An <sammiee5311@gmail.com>

Applied now.  Thanks.


Takashi