[for-3.18,19/24] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS

Message ID 1494340968-17152-20-git-send-email-amit.pundir@linaro.org
State New
Headers show
Series
  • Security fixes from 2015 and 2016 android security bulletins
Related show

Commit Message

Amit Pundir May 9, 2017, 2:42 p.m.
From: Kangjie Lu <kangjielu@gmail.com>


commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream.

The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>

Signed-off-by: Takashi Iwai <tiwai@suse.de>

Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

---
 sound/core/timer.c | 1 +
 1 file changed, 1 insertion(+)

-- 
2.7.4

Patch hide | download patch | download mbox

diff --git a/sound/core/timer.c b/sound/core/timer.c
index fa4ded0c2230..ede058bd49a4 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1759,6 +1759,7 @@  static int snd_timer_user_params(struct file *file,
 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
 		if (tu->tread) {
 			struct snd_timer_tread tread;
+			memset(&tread, 0, sizeof(tread));
 			tread.event = SNDRV_TIMER_EVENT_EARLY;
 			tread.tstamp.tv_sec = 0;
 			tread.tstamp.tv_nsec = 0;