www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Nicolas Boichat <drinkcat@chromium.org>
	Mon, 18 Jan 2016 13:35:00 +0000 (21:35 +0800)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Thu, 26 May 2016 22:43:15 +0000 (15:43 -0700)
commit	2a603956c034bb62a4979de88307c09392d57528
tree	8a432c335f5142bea553ec9057321e38dd0791f6	tree
parent	dd95ba792593f05580c0aff0d08d09da138f6638	commit \| diff

ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode

Orabug: 23330532

commit 43c54b8c7cfe22f868a751ba8a59abf1724160b1 upstream.

This reverts one hunk of
commit ef44a1ec6eee ("ALSA: sound/core: use memdup_user()"), which
replaced a number of kmalloc followed by memcpy with memdup calls.

In this case, we are copying from a struct snd_pcm_hw_params32 to
a struct snd_pcm_hw_params, but the latter is 4 bytes longer than
the 32-bit version, so we need to separate kmalloc and copy calls.

This actually leads to an out-of-bounds memory access later on
in sound/soc/soc-pcm.c:soc_pcm_hw_params() (detected using KASan).

Fixes: ef44a1ec6eee ('ALSA: sound/core: use memdup_user()')
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 281bedb8728f02a9b8bd5f5e342883e6d255abdc)

Signed-off-by: Dan Duval <dan.duval@oracle.com>