From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AFF88C433FE
	for <linux-kernel@archiver.kernel.org>; Wed, 23 Nov 2022 06:56:02 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236144AbiKWG4B (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 23 Nov 2022 01:56:01 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51306 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236072AbiKWGz7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 23 Nov 2022 01:55:59 -0500
Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 14094F41A7
        for <linux-kernel@vger.kernel.org>; Tue, 22 Nov 2022 22:55:57 -0800 (PST)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id 8003D220D5;
        Wed, 23 Nov 2022 06:55:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1669186556; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=DWIEFciCRBJZr4QjejGTJsTfwg2gOtGq8bBxtqG2n8Y=;
        b=wfmbIv8JpgkhaZK8IIXmc5hWdRBRECNB1gXH6/QkPtm9Wo3WSygKkxZqNqy8O8FVv9VXNg
        GY++2ZG1C9iM2Q/aamtiCsmgpXQAt9sjfUKXYBqEgWKddynrY6Dn7S3OlHkQcKmFiU4HT4
        q5uIGt359H+869VsnU8MsYPHvDtx+rA=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1669186556;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=DWIEFciCRBJZr4QjejGTJsTfwg2gOtGq8bBxtqG2n8Y=;
        b=GFRPrWkEHgYQbiDNPXUQHVtuSEx0ietQjcKiXG9GwaQasQCLjXIXUYPQkDqo7wmo/Gn9T8
        6pOIeDfor7etEDAQ==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 5114913A37;
        Wed, 23 Nov 2022 06:55:56 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id krdFEvzDfWO2RQAAMHmgww
        (envelope-from <tiwai@suse.de>); Wed, 23 Nov 2022 06:55:56 +0000
Date:   Wed, 23 Nov 2022 07:55:56 +0100
Message-ID: <87mt8i5fcz.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Xiaolong Huang <butterflyhuangxx@gmail.com>
Cc:     perex@perex.cz, tiwai@suse.com, baolin.wang@linux.alibaba.com,
        alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org
Subject: Re: [RESEND PATCH] ALSA: rawmidi: fix infoleak in snd_rawmidi_ioctl_status_compat64
In-Reply-To: <20221123050911.1045190-1-butterflyhuangxx@gmail.com>
References: <20221123050911.1045190-1-butterflyhuangxx@gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 23 Nov 2022 06:09:11 +0100,
Xiaolong Huang wrote:
> 
> The compat_status is declared off of the stack, so it needs to
> be zeroed out before copied back to userspace to prevent any
> unintentional data leakage.
> 
> Fixes: d9e5582c4bb2 ("ALSA: Avoid using timespec for struct snd_rawmidi_status")
> Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
> 
> ---
> 
> Reason for resend:
> 1. add Fixes line.
> ---
>  sound/core/rawmidi_compat.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c
> index 68a93443583c..6afa68165b17 100644
> --- a/sound/core/rawmidi_compat.c
> +++ b/sound/core/rawmidi_compat.c
> @@ -80,6 +80,7 @@ static int snd_rawmidi_ioctl_status_compat64(struct snd_rawmidi_file *rfile,
>  	if (err < 0)
>  		return err;
>  
> +	memset(&compat_status, 0, sizeof(compat_status));
>  	compat_status = (struct compat_snd_rawmidi_status64) {
>  		.stream = status.stream,
>  		.tstamp_sec = status.tstamp_sec,

Here at the line just after your addition, compat_status is fully
initialized by substitution, so I believe the memset is superfluous.

Or have you verified that it really leaks the uninitialized memory?


thanks,

Takashi