Commit 643d6bbb authored by Dan Carpenter's avatar Dan Carpenter Committed by Takashi Iwai

ALSA: hdspm - potential info leak in snd_hdspm_hwdep_ioctl()

Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.

The status struct has a hole in it, and on some paths not all the
members were initialized.

struct hdspm_status {
        unsigned char              card_type;            /*     0     1 */
        /* XXX 3 bytes hole, try to pack */
        enum hdspm_syncsource      autosync_source;      /*     4     4 */
        long long unsigned int     card_clock;           /*     8     8 */

The hdspm_version struct had holes in it as well.

struct hdspm_version {
        unsigned char              card_type;            /*     0     1 */
        char                       cardname[20];         /*     1    20 */
        /* XXX 3 bytes hole, try to pack */
        unsigned int               serial;               /*    24     4 */
        short unsigned int         firmware_rev;         /*    28     2 */
        /* XXX 2 bytes hole, try to pack */
        int                        addons;               /*    32     4 */
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 8e699d2c
...@@ -6227,6 +6227,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, ...@@ -6227,6 +6227,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
break; break;
case SNDRV_HDSPM_IOCTL_GET_STATUS: case SNDRV_HDSPM_IOCTL_GET_STATUS:
memset(&status, 0, sizeof(status));
status.card_type = hdspm->io_type; status.card_type = hdspm->io_type;
status.autosync_source = hdspm_autosync_ref(hdspm); status.autosync_source = hdspm_autosync_ref(hdspm);
...@@ -6266,6 +6268,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file, ...@@ -6266,6 +6268,8 @@ static int snd_hdspm_hwdep_ioctl(struct snd_hwdep *hw, struct file *file,
break; break;
case SNDRV_HDSPM_IOCTL_GET_VERSION: case SNDRV_HDSPM_IOCTL_GET_VERSION:
memset(&hdspm_version, 0, sizeof(hdspm_version));
hdspm_version.card_type = hdspm->io_type; hdspm_version.card_type = hdspm->io_type;
strncpy(hdspm_version.cardname, hdspm->card_name, strncpy(hdspm_version.cardname, hdspm->card_name,
sizeof(hdspm_version.cardname)); sizeof(hdspm_version.cardname));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment