[thirdparty/kernel/stable-queue.git] / releases / 2.6.35.8 / alsa-sound-pci-rme9652-prevent-reading-uninitialized-stack-memory.patch

From e68d3b316ab7b02a074edc4f770e6a746390cb7d Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Sat, 25 Sep 2010 11:07:27 -0400
Subject: ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory

From: Dan Rosenberg <drosenberg@vsecurity.com>

commit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream.

The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
unprivileged users to read uninitialized kernel stack memory, because
several fields of the hdsp{m}_config_info structs declared on the stack
are not altered or zeroed before being copied back to the user.  This
patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 sound/pci/rme9652/hdsp.c  |    1 +
 sound/pci/rme9652/hdspm.c |    1 +
 2 files changed, 2 insertions(+)

--- a/sound/pci/rme9652/hdsp.c
+++ b/sound/pci/rme9652/hdsp.c
@@ -4609,6 +4609,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
 		if (err < 0)
 			return err;
 
+		memset(&info, 0, sizeof(info));
 		spin_lock_irqsave(&hdsp->lock, flags);
 		info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
 		info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -4127,6 +4127,7 @@ static int snd_hdspm_hwdep_ioctl(struct
 
 	case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
 
+		memset(&info, 0, sizeof(info));
 		spin_lock_irq(&hdspm->lock);
 		info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
 		info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
Commit	Line	Data
f723613a GKH	1	From e68d3b316ab7b02a074edc4f770e6a746390cb7d Mon Sep 17 00:00:00 2001
	2	From: Dan Rosenberg <drosenberg@vsecurity.com>
	3	Date: Sat, 25 Sep 2010 11:07:27 -0400
	4	Subject: ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
	5
	6	From: Dan Rosenberg <drosenberg@vsecurity.com>
	7
	8	commit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream.
	9
	10	The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
	11	SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
	12	unprivileged users to read uninitialized kernel stack memory, because
	13	several fields of the hdsp{m}_config_info structs declared on the stack
	14	are not altered or zeroed before being copied back to the user. This
	15	patch takes care of it.
	16
	17	Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
	18	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	19	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	20
	21	---
	22	sound/pci/rme9652/hdsp.c \| 1 +
	23	sound/pci/rme9652/hdspm.c \| 1 +
	24	2 files changed, 2 insertions(+)
	25
	26	--- a/sound/pci/rme9652/hdsp.c
	27	+++ b/sound/pci/rme9652/hdsp.c
	28	@@ -4609,6 +4609,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
	29	if (err < 0)
	30	return err;
	31
	32	+ memset(&info, 0, sizeof(info));
	33	spin_lock_irqsave(&hdsp->lock, flags);
	34	info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
	35	info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
	36	--- a/sound/pci/rme9652/hdspm.c
	37	+++ b/sound/pci/rme9652/hdspm.c
	38	@@ -4127,6 +4127,7 @@ static int snd_hdspm_hwdep_ioctl(struct
	39
	40	case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
	41
	42	+ memset(&info, 0, sizeof(info));
	43	spin_lock_irq(&hdspm->lock);
	44	info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
	45	info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);