Re: [PATCH] ALSA: seq: Fix kernel heap address leak in bounce_error_event()

[Takashi Iwai <tiwai@suse.de>]

On Fri, 12 Jun 2026 12:32:22 +0200,
HanQuan wrote:
> 
> The comment above bounce_error_event() documents that user clients
> should receive SNDRV_SEQ_EVENT_BOUNCE with the original event embedded
> as variable-length data, while kernel clients should receive
> SNDRV_SEQ_EVENT_KERNEL_ERROR with a quoted kernel pointer.
> 
> However, the implementation unconditionally uses
> SNDRV_SEQ_EVENT_KERNEL_ERROR with data.quote.event set to the raw
> struct snd_seq_event pointer for all clients.  When a bounce error
> event is delivered to a USER_CLIENT via snd_seq_read(), the kernel
> heap address in data.quote.event is exposed to userspace through
> copy_to_user() in the fixed-length branch.
> 
> This is a distinct leak path from the one addressed by commit
> 705dd6dcbc0e ("ALSA: seq: Clear variable event pointer on read"),
> which sanitizes data.ext.ptr in the variable-length branch of
> snd_seq_read().  The bounce_error_event() leak uses fixed-length
> events that take the else branch where no sanitization occurs.
> 
> Differentiate the bounce event by client type.  For USER_CLIENT,
> send SNDRV_SEQ_EVENT_BOUNCE with SNDRV_SEQ_EVENT_LENGTH_VARIABLE
> and data.ext pointing to the original event.  The variable-length
> path in snd_seq_event_dup() copies the event data into chained
> cells, and snd_seq_expand_var_event() copies only the content --
> never the pointer -- to userspace.  For KERNEL_CLIENT, keep the
> existing SNDRV_SEQ_EVENT_KERNEL_ERROR behavior with the quoted
> pointer.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com>

Applied to for-next branch now.  Thanks.


Takashi