diff mbox series

[1/2] ALSA: oxfw: fix info leak in hwdep_read()

Message ID YAkassrrWUtsW6aZ@mwanda
State New
Headers show
Series [1/2] ALSA: oxfw: fix info leak in hwdep_read() | expand

Commit Message

Dan Carpenter Jan. 21, 2021, 6:09 a.m. UTC
If "count" is too large and "oxfw->dev_lock_changed" is false then this
will copy beyond the end of the struct to user space.

Fixes: 8985f4ac1c42 ("ALSA: oxfw: Add hwdep interface")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 sound/firewire/oxfw/oxfw-hwdep.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Dan Carpenter Jan. 22, 2021, 7:27 a.m. UTC | #1
Please ignore this one.  Christophe JAILLET pointed out that the info
leak isn't possible.  I'll send a clean up patch instead.

regards,
dan carpenter
diff mbox series

Patch

diff --git a/sound/firewire/oxfw/oxfw-hwdep.c b/sound/firewire/oxfw/oxfw-hwdep.c
index 9e1b3e151bad..ca5477eeb663 100644
--- a/sound/firewire/oxfw/oxfw-hwdep.c
+++ b/sound/firewire/oxfw/oxfw-hwdep.c
@@ -35,12 +35,12 @@  static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf,  long count,
 	}
 
 	memset(&event, 0, sizeof(event));
+	count = min_t(long, count, sizeof(event.lock_status));
 	if (oxfw->dev_lock_changed) {
 		event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
 		event.lock_status.status = (oxfw->dev_lock_count > 0);
 		oxfw->dev_lock_changed = false;
 
-		count = min_t(long, count, sizeof(event.lock_status));
 	}
 
 	spin_unlock_irq(&oxfw->lock);