diff options
| author | Vlad Tsyrklevich <vlad@tsyrklevich.net> | 2016-10-13 08:36:41 -0400 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2016-10-18 08:08:25 -0400 |
| commit | d69bb92e402ff948bdcd39f19c9067874fb86873 (patch) | |
| tree | 7bbc369e84e7466fdfb8b669db191d2cc88ac7c5 | |
| parent | f771d5bb71d4df9573d12386400540516672208b (diff) | |
ALSA: asihpi: fix kernel memory disclosure
Some elements in hr are not cleared before being copied to user space,
leaking kernel heap memory to user space. For example, this happens in
the error handling code for the HPI_ADAPTER_DELETE case. Zero the memory
before it's copied.
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
| -rw-r--r-- | sound/pci/asihpi/hpioctl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c index d17937b92331..7e3aa50b21f9 100644 --- a/sound/pci/asihpi/hpioctl.c +++ b/sound/pci/asihpi/hpioctl.c | |||
| @@ -111,7 +111,7 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | |||
| 111 | return -EINVAL; | 111 | return -EINVAL; |
| 112 | 112 | ||
| 113 | hm = kmalloc(sizeof(*hm), GFP_KERNEL); | 113 | hm = kmalloc(sizeof(*hm), GFP_KERNEL); |
| 114 | hr = kmalloc(sizeof(*hr), GFP_KERNEL); | 114 | hr = kzalloc(sizeof(*hr), GFP_KERNEL); |
| 115 | if (!hm || !hr) { | 115 | if (!hm || !hr) { |
| 116 | err = -ENOMEM; | 116 | err = -ENOMEM; |
| 117 | goto out; | 117 | goto out; |