| From 212ac181c158c09038c474ba68068be49caecebb Mon Sep 17 00:00:00 2001 |
| From: Zubin Mithra <zsm@chromium.org> |
| Date: Thu, 4 Apr 2019 14:33:55 -0700 |
| Subject: ALSA: seq: Fix OOB-reads from strlcpy |
| |
| From: Zubin Mithra <zsm@chromium.org> |
| |
| commit 212ac181c158c09038c474ba68068be49caecebb upstream. |
| |
| When ioctl calls are made with non-null-terminated userspace strings, |
| strlcpy causes an OOB-read from within strlen. Fix by changing to use |
| strscpy instead. |
| |
| Signed-off-by: Zubin Mithra <zsm@chromium.org> |
| Reviewed-by: Guenter Roeck <groeck@chromium.org> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/seq/seq_clientmgr.c | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| --- a/sound/core/seq/seq_clientmgr.c |
| +++ b/sound/core/seq/seq_clientmgr.c |
| @@ -1252,7 +1252,7 @@ static int snd_seq_ioctl_set_client_info |
| |
| /* fill the info fields */ |
| if (client_info->name[0]) |
| - strlcpy(client->name, client_info->name, sizeof(client->name)); |
| + strscpy(client->name, client_info->name, sizeof(client->name)); |
| |
| client->filter = client_info->filter; |
| client->event_lost = client_info->event_lost; |
| @@ -1530,7 +1530,7 @@ static int snd_seq_ioctl_create_queue(st |
| /* set queue name */ |
| if (!info->name[0]) |
| snprintf(info->name, sizeof(info->name), "Queue-%d", q->queue); |
| - strlcpy(q->name, info->name, sizeof(q->name)); |
| + strscpy(q->name, info->name, sizeof(q->name)); |
| snd_use_lock_free(&q->use_lock); |
| |
| return 0; |
| @@ -1592,7 +1592,7 @@ static int snd_seq_ioctl_set_queue_info( |
| queuefree(q); |
| return -EPERM; |
| } |
| - strlcpy(q->name, info->name, sizeof(q->name)); |
| + strscpy(q->name, info->name, sizeof(q->name)); |
| queuefree(q); |
| |
| return 0; |
