Message ID | 20230905081210.6731-1-tiwai@suse.de |
---|---|
State | New |
Headers | show |
Series | [v2] ALSA: seq: Fix snd_seq_expand_var_event() call to user-space | expand |
diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c index 174585bf59d2..b603bb93f896 100644 --- a/sound/core/seq/seq_memory.c +++ b/sound/core/seq/seq_memory.c @@ -187,8 +187,13 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char err = expand_var_event(event, 0, len, buf, in_kernel); if (err < 0) return err; - if (len != newlen) - memset(buf + len, 0, newlen - len); + if (len != newlen) { + if (in_kernel) + memset(buf + len, 0, newlen - len); + else if (clear_user((__force void __user *)buf + len, + newlen - len)) + return -EFAULT; + } return newlen; } EXPORT_SYMBOL(snd_seq_expand_var_event);
The recent fix to clear the padding bytes at snd_seq_expand_var_event() broke the read to user-space with in_kernel=0 parameter. For user-space address, it has to use clear_user() instead of memset(). Fixes: f80e6d60d677 ("ALSA: seq: Clear padded bytes at expanding events") Reported-and-tested-by: Ash Holland <ash@sorrel.sh> Closes: https://lore.kernel.org/r/8a555319-9f31-4ea2-878f-adc338bc40d4@sorrel.sh Link: https://lore.kernel.org/r/20230905052631.18240-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> --- v1->v2: add clear_user() return check sound/core/seq/seq_memory.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)