ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode

This reverts one hunk of commit ef44a1e ("ALSA: sound/core: use memdup_user()"), which replaced a number of kmalloc followed by memcpy with memdup calls. In this case, we are copying from a struct snd_pcm_hw_params32 to a struct snd_pcm_hw_params, but the latter is 4 bytes longer than the 32-bit version, so we need to separate kmalloc and copy calls. This actually leads to an out-of-bounds memory access later on in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan). Fixes: ef44a1e ('ALSA: sound/core: use memdup_user()') Signed-off-by: Nicolas Boichat <[email protected]> Cc: <[email protected]> Signed-off-by: Takashi Iwai <[email protected]>
vieko · Jan 18, 2016 · 43c54b8 · 43c54b8
1 parent 2ba1fe7
commit 43c54b8
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
@@ -255,10 +255,15 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream,
 	if (! (runtime = substream->runtime))
 		return -ENOTTY;
 
-	/* only fifo_size is different, so just copy all */
-	data = memdup_user(data32, sizeof(*data32));
-	if (IS_ERR(data))
-		return PTR_ERR(data);
+	data = kmalloc(sizeof(*data), GFP_KERNEL);
+	if (!data)
+		return -ENOMEM;
+
+	/* only fifo_size (RO from userspace) is different, so just copy all */
+	if (copy_from_user(data, data32, sizeof(*data32))) {
+		err = -EFAULT;
+		goto error;
+	}
 
 	if (refine)
 		err = snd_pcm_hw_refine(substream, data);