evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ASoC: msm-lsm-client: use kzalloc instead of kmalloc

Browse source 
In the ioctl function, driver allocates memory to store data
internally before calling copy_to_user to copy data to user-space.
It is possible that kernel internal information can be leaked to
user space through this if the allocated memory is not completely
overwritten with valid data. Use kzalloc to fix this.

CRs-fixed: 2026045
Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
This commit is contained in:
Bhalchandra Gajare 2017-04-25 18:37:56 -07:00
parent 1c450066c7
commit 5779144880
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
sound/soc/msm/qdsp6v2/msm-lsm-client.c
View file

@ -1312,7 +1312,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
}
size = sizeof(*user) + userarg32.payload_size;
user = kmalloc(size, GFP_KERNEL);
user = kzalloc(size, GFP_KERNEL);
if (!user) {
dev_err(rtd->dev,
"%s: Allocation failed event status size %d\n",
@ -1333,7 +1333,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
err = -EFAULT;
}
if (!err) {
user32 = kmalloc(size, GFP_KERNEL);
user32 = kzalloc(size, GFP_KERNEL);
if (!user32) {
dev_err(rtd->dev,
"%s: Allocation event user status size %d\n",
@ -1378,7 +1378,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
}
size = sizeof(*user) + userarg32.payload_size;
user = kmalloc(size, GFP_KERNEL);
user = kzalloc(size, GFP_KERNEL);
if (!user) {
dev_err(rtd->dev,
"%s: Allocation failed event status size %d\n",
@ -1398,7 +1398,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
err = -EFAULT;
}
if (!err) {
user32 = kmalloc(size, GFP_KERNEL);
user32 = kzalloc(size, GFP_KERNEL);
if (!user32) {
dev_err(rtd->dev,
"%s: Allocation event user status size %d\n",
@ -1813,7 +1813,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
size = sizeof(struct snd_lsm_event_status) +
userarg.payload_size;
user = kmalloc(size, GFP_KERNEL);
user = kzalloc(size, GFP_KERNEL);
if (!user) {
dev_err(rtd->dev,
"%s: Allocation failed event status size %d\n",
@ -1874,7 +1874,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
size = sizeof(struct snd_lsm_event_status_v3) +
userarg.payload_size;
user = kmalloc(size, GFP_KERNEL);
user = kzalloc(size, GFP_KERNEL);
if (!user) {
dev_err(rtd->dev,
"%s: Allocation failed event status size %d\n",