ALSA: bebob: potential info leak in hwdep_read()

Dan Carpenter · tiwai · commit b41c15f4e1c1 · 2020-10-07T17:33:52.000+02:00
The "count" variable needs to be capped on every path so that we don't copy too much information to the user. Fixes: 618eabe ("ALSA: bebob: Add hwdep interface") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20201007074928.GA2529578@mwanda Signed-off-by: Takashi Iwai <tiwai@suse.de>
diff --git a/sound/firewire/bebob/bebob_hwdep.c b/sound/firewire/bebob/bebob_hwdep.c
@@ -36,12 +36,11 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf,  long count,
 	}
 
 	memset(&event, 0, sizeof(event));
+	count = min_t(long, count, sizeof(event.lock_status));
 	if (bebob->dev_lock_changed) {
 		event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
 		event.lock_status.status = (bebob->dev_lock_count > 0);
 		bebob->dev_lock_changed = false;
-
-		count = min_t(long, count, sizeof(event.lock_status));
 	}
 
 	spin_unlock_irq(&bebob->lock);

Original file line number	Diff line number	Diff line change
`@@ -36,12 +36,11 @@ hwdep_read(struct snd_hwdep hwdep, char __user buf, long count,`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`memset(&event, 0, sizeof(event));`
	`39`	`+ count = min_t(long, count, sizeof(event.lock_status));`
`39`	`40`	`if (bebob->dev_lock_changed) {`
`40`	`41`	`event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;`
`41`	`42`	`event.lock_status.status = (bebob->dev_lock_count > 0);`
`42`	`43`	`bebob->dev_lock_changed = false;`
`43`		`-`
`44`		`- count = min_t(long, count, sizeof(event.lock_status));`
`45`	`44`	`}`
`46`	`45`
`47`	`46`	`spin_unlock_irq(&bebob->lock);`