| Message ID | 20200422112417.208843-1-colin.king@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ASoC: SOF: ensure all fields in header are zero'd before copying back to userspace | expand |
On Wed, Apr 22, 2020 at 12:24:17PM +0100, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Field header.tlv is uninitialized and being copied back to userspace ^^^^^^^^^^ header.tlv is a zero element array so it doens't have any stack data. > and hence leaking data from the stack to userspace. Fix this by > ensuring the header structure is zero'd. regards, dan carpenter
On 22/04/2020 12:45, Dan Carpenter wrote: > On Wed, Apr 22, 2020 at 12:24:17PM +0100, Colin King wrote: >> From: Colin Ian King <colin.king@canonical.com> >> >> Field header.tlv is uninitialized and being copied back to userspace > ^^^^^^^^^^ > header.tlv is a zero element array so it doens't have any stack data. Thanks Dan, I totally overlooked that. That's another class if issues I need to triage correctly. > >> and hence leaking data from the stack to userspace. Fix this by >> ensuring the header structure is zero'd. > > regards, > dan carpenter > >
diff --git a/sound/soc/sof/control.c b/sound/soc/sof/control.c index dfc412e2d956..97d5c1a4c1ff 100644 --- a/sound/soc/sof/control.c +++ b/sound/soc/sof/control.c @@ -362,7 +362,7 @@ int snd_sof_bytes_ext_get(struct snd_kcontrol *kcontrol, struct snd_sof_control *scontrol = be->dobj.private; struct snd_soc_component *scomp = scontrol->scomp; struct sof_ipc_ctrl_data *cdata = scontrol->control_data; - struct snd_ctl_tlv header; + struct snd_ctl_tlv header = { }; struct snd_ctl_tlv __user *tlvd = (struct snd_ctl_tlv __user *)binary_data; int data_size;