From: "Amadeusz Sławiński" <amadeuszx.slawinski@linux.intel.com>
To: Fullway Wang <fullwaywang@outlook.com>,
broonie@kernel.org, srinivas.kandagatla@linaro.org,
bgoswami@quicinc.com, tiwai@suse.com
Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
fullwaywang@tencent.com
Subject: Re: [PATCH] sound: soc: wcd934x: fix an incorrect use of kstrndup()
Date: Tue, 30 Jan 2024 10:56:41 +0100 [thread overview]
Message-ID: <8c92d33d-923b-4805-abdf-752e8943072e@linux.intel.com> (raw)
In-Reply-To: <PH7PR20MB59255EF9DFFB022CB1BBB574BF712@PH7PR20MB5925.namprd20.prod.outlook.com>
On 1/18/2024 8:52 AM, Fullway Wang wrote:
> In wcd934x_codec_enable_dec(), kstrndup() is used to alloc memory.
> However, kmemdup_nul() should be used instead with the size known.
>
> This is similar to CVE-2019-12454 which was fixed in commit
> a549881.
>
> Signed-off-by: Fullway Wang <fullwaywang@outlook.com>
> ---
> sound/soc/codecs/wcd934x.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c
> index 1b6e376f3833..4565a0e1877f 100644
> --- a/sound/soc/codecs/wcd934x.c
> +++ b/sound/soc/codecs/wcd934x.c
> @@ -4990,7 +4990,7 @@ static int wcd934x_codec_enable_dec(struct snd_soc_dapm_widget *w,
> char *dec;
> u8 hpf_coff_freq;
>
> - widget_name = kstrndup(w->name, 15, GFP_KERNEL);
> + widget_name = kmemdup_nul(w->name, 15, GFP_KERNEL);
> if (!widget_name)
> return -ENOMEM;
>
This change looks weird to me, and looking at code I'm even more
confused. As far as I can tell code tries to find a number in w->name.
It shouldn't need a duplicate string for this, it can search in existing
one, same applies to referenced commit.
And when it comes to a549881 as already mentioned in
https://lore.kernel.org/alsa-devel/7573d8ce-7160-39b1-8901-be9155c451a1@suse.cz/
the size is at most 15 not equal to, so change was misguided. If you
look at actual code widget name is around 8 characters.
Also it seems like consensus was that CVE was bogus and it was a wrong
change:
https://lore.kernel.org/alsa-devel/20190618230527.GE6248@lindsey/
there was a revert send, but it seems like it was not applied:
https://lore.kernel.org/alsa-devel/20190612133040.5kgtio7gidxx64gh@xylophone.i.decadent.org.uk/
next prev parent reply other threads:[~2024-01-30 9:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-18 7:52 [PATCH] sound: soc: wcd934x: fix an incorrect use of kstrndup() Fullway Wang
2024-01-29 21:32 ` Mark Brown
2024-01-30 9:56 ` Amadeusz Sławiński [this message]
2024-01-30 15:43 ` Mark Brown
2024-02-01 9:04 ` Amadeusz Sławiński
2024-02-01 12:31 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8c92d33d-923b-4805-abdf-752e8943072e@linux.intel.com \
--to=amadeuszx.slawinski@linux.intel.com \
--cc=bgoswami@quicinc.com \
--cc=broonie@kernel.org \
--cc=fullwaywang@outlook.com \
--cc=fullwaywang@tencent.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=srinivas.kandagatla@linaro.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox