tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events

The DSP event handling code in hwdep_read() could write more bytes to
the user buffer than requested, when a user provides a buffer smaller
than the event header size (8 bytes).

Fix by using min_t() to clamp the copy size, This ensures we never copy
more than the user requested.

Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Junrui Luo and committed by
Takashi Iwai 210d77cc c34b04cc

+3 -2
+3 -2
sound/firewire/motu/motu-hwdep.c
··· 83 83 event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE; 84 84 event.motu_register_dsp_change.count = 85 85 (consumed - sizeof(event.motu_register_dsp_change)) / 4; 86 - if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change))) 86 + if (copy_to_user(buf, &event, 87 + min_t(long, count, sizeof(event.motu_register_dsp_change)))) 87 88 return -EFAULT; 88 89 89 - count = consumed; 90 + count = min_t(long, count, consumed); 90 91 } else { 91 92 spin_unlock_irq(&motu->lock); 92 93