releases/4.6.6/alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch

   1 From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001
   2 From: Kangjie Lu <kangjielu@gmail.com>
   3 Date: Tue, 3 May 2016 16:44:32 -0400
   4 Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 From: Kangjie Lu <kangjielu@gmail.com>
  10
  11 commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream.
  12
  13 The stack object “r1” has a total size of 32 bytes. Its field
  14 “event” and “val” both contain 4 bytes padding. These 8 bytes
  15 padding bytes are sent to user without being initialized.
  16
  17 Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
  18 Signed-off-by: Takashi Iwai <tiwai@suse.de>
  19 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20
  21 ---
  22  sound/core/timer.c |    1 +
  23  1 file changed, 1 insertion(+)
  24
  25 --- a/sound/core/timer.c
  26 +++ b/sound/core/timer.c
  27 @@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(st
  28         }
  29         if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
  30             tu->last_resolution != resolution) {
  31 +               memset(&r1, 0, sizeof(r1));
  32                 r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
  33                 r1.tstamp = tstamp;
  34                 r1.val = resolution;