ALSA: usx2y: Fix potential leaks of uninitialized memory

author Takashi Iwai <tiwai@suse.de>

Mon, 17 May 2021 13:15:38 +0000 (15:15 +0200)

committer Takashi Iwai <tiwai@suse.de>

Mon, 17 May 2021 14:04:10 +0000 (16:04 +0200)
author Takashi Iwai <tiwai@suse.de>
Mon, 17 May 2021 13:15:38 +0000 (15:15 +0200)
committer Takashi Iwai <tiwai@suse.de>
Mon, 17 May 2021 14:04:10 +0000 (16:04 +0200)
diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c

index 2d4e943be2dad291a82d03ab214c685bd6e31ebb..0ed50be89271b02363711eda1f98d627e02ec712 100644 (file)
--- a/sound/usb/usx2y/usX2Yhwdep.c
+++ b/sound/usb/usx2y/usX2Yhwdep.c
@@ -55,17 +55,17 @@ static int snd_us428ctls_mmap(struct snd_hwdep *hw, struct file *filp, struct vm
                 return -EBUSY;
  
         /* if userspace tries to mmap beyond end of our buffer, fail */
-       if (size > PAGE_ALIGN(sizeof(struct us428ctls_sharedmem))) {
-               snd_printd("%lu > %lu\n", size, (unsigned long)sizeof(struct us428ctls_sharedmem));
+       if (size > US428_SHAREDMEM_PAGES) {
+               snd_printd("%lu > %lu\n", size, (unsigned long)US428_SHAREDMEM_PAGES);
                 return -EINVAL;
         }
  
         if (!us428->us428ctls_sharedmem) {
                 init_waitqueue_head(&us428->us428ctls_wait_queue_head);
-               us428->us428ctls_sharedmem = alloc_pages_exact(sizeof(struct us428ctls_sharedmem), GFP_KERNEL);
+               us428->us428ctls_sharedmem = alloc_pages_exact(US428_SHAREDMEM_PAGES, GFP_KERNEL);
                 if (!us428->us428ctls_sharedmem)
                         return -ENOMEM;
-               memset(us428->us428ctls_sharedmem, -1, sizeof(struct us428ctls_sharedmem));
+               memset(us428->us428ctls_sharedmem, -1, US428_SHAREDMEM_PAGES);
                 us428->us428ctls_sharedmem->ctl_snapshot_last = -2;
         }
         area->vm_ops = &us428ctls_vm_ops;
diff --git a/sound/usb/usx2y/usbus428ctldefs.h b/sound/usb/usx2y/usbus428ctldefs.h

index 06b27d23d3c22343b6e0b7934873b4b64f52955f..9ba15d974e633d1b56b51bca05cdb66572f0ccba 100644 (file)
--- a/sound/usb/usx2y/usbus428ctldefs.h
+++ b/sound/usb/usx2y/usbus428ctldefs.h
@@ -89,3 +89,5 @@ struct us428ctls_sharedmem {
         struct us428_p4out      p4out[N_US428_P4OUT_BUFS];
         int                     p4out_last, p4out_sent;
  };
+
+#define US428_SHAREDMEM_PAGES  PAGE_ALIGN(sizeof(struct us428ctls_sharedmem))
diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c

index 05b10bdc638031413e98d07c47f8250050e48778..25e04a0ff97bfacae893fda33276f71af966cb34 100644 (file)
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -430,7 +430,7 @@ static void snd_usx2y_card_private_free(struct snd_card *card)
         usb_free_urb(usx2y->in04_urb);
         if (usx2y->us428ctls_sharedmem)
                 free_pages_exact(usx2y->us428ctls_sharedmem,
-                                sizeof(*usx2y->us428ctls_sharedmem));
+                                US428_SHAREDMEM_PAGES);
         if (usx2y->card_index >= 0 && usx2y->card_index < SNDRV_CARDS)
                 snd_usx2y_card_used[usx2y->card_index] = 0;
  }
diff --git a/sound/usb/usx2y/usx2yhwdeppcm.c b/sound/usb/usx2y/usx2yhwdeppcm.c

index 9219341d71c7994c9c4c189e4f127c0e8eee288b..b988a4870de4671ebefee9ac797e5a86d71293eb 100644 (file)
--- a/sound/usb/usx2y/usx2yhwdeppcm.c
+++ b/sound/usb/usx2y/usx2yhwdeppcm.c
@@ -485,6 +485,9 @@ static int usx2y_usbpcm_urbs_start(struct snd_usx2y_substream *subs)
         return err;
  }
  
+#define USX2Y_HWDEP_PCM_PAGES  \
+       PAGE_ALIGN(sizeof(struct snd_usx2y_hwdep_pcm_shm))
+
  /*
   * prepare callback
   *
@@ -501,11 +504,11 @@ static int snd_usx2y_usbpcm_prepare(struct snd_pcm_substream *substream)
         snd_printdd("snd_usx2y_pcm_prepare(%p)\n", substream);
  
         if (!usx2y->hwdep_pcm_shm) {
-               usx2y->hwdep_pcm_shm = alloc_pages_exact(sizeof(struct snd_usx2y_hwdep_pcm_shm),
+               usx2y->hwdep_pcm_shm = alloc_pages_exact(USX2Y_HWDEP_PCM_PAGES,
                                                          GFP_KERNEL);
                 if (!usx2y->hwdep_pcm_shm)
                         return -ENOMEM;
-               memset(usx2y->hwdep_pcm_shm, 0, sizeof(struct snd_usx2y_hwdep_pcm_shm));
+               memset(usx2y->hwdep_pcm_shm, 0, USX2Y_HWDEP_PCM_PAGES);
         }
  
         mutex_lock(&usx2y->pcm_mutex);
@@ -692,8 +695,8 @@ static int snd_usx2y_hwdep_pcm_mmap(struct snd_hwdep *hw, struct file *filp, str
                 return -EBUSY;
  
         /* if userspace tries to mmap beyond end of our buffer, fail */
-       if (size > PAGE_ALIGN(sizeof(struct snd_usx2y_hwdep_pcm_shm))) {
-               snd_printd("%lu > %lu\n", size, (unsigned long)sizeof(struct snd_usx2y_hwdep_pcm_shm));
+       if (size > USX2Y_HWDEP_PCM_PAGES) {
+               snd_printd("%lu > %lu\n", size, (unsigned long)USX2Y_HWDEP_PCM_PAGES);
                 return -EINVAL;
         }
  
@@ -711,7 +714,7 @@ static void snd_usx2y_hwdep_pcm_private_free(struct snd_hwdep *hwdep)
         struct usx2ydev *usx2y = hwdep->private_data;
  
         if (usx2y->hwdep_pcm_shm)
-               free_pages_exact(usx2y->hwdep_pcm_shm, sizeof(struct snd_usx2y_hwdep_pcm_shm));
+               free_pages_exact(usx2y->hwdep_pcm_shm, USX2Y_HWDEP_PCM_PAGES);
  }
  
  int usx2y_hwdep_pcm_new(struct snd_card *card)
author	Takashi Iwai <tiwai@suse.de>
	Mon, 17 May 2021 13:15:38 +0000 (15:15 +0200)
committer	Takashi Iwai <tiwai@suse.de>
	Mon, 17 May 2021 14:04:10 +0000 (16:04 +0200)
sound/usb/usx2y/usX2Yhwdep.c		patch \| blob \| blame \| history
sound/usb/usx2y/usbus428ctldefs.h		patch \| blob \| blame \| history
sound/usb/usx2y/usbusx2y.c		patch \| blob \| blame \| history
sound/usb/usx2y/usx2yhwdeppcm.c		patch \| blob \| blame \| history