| Message ID | 1464189321-26544-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Wed, May 25, 2016 at 04:15:21PM +0100, Luis Henriques wrote: > From: Kangjie Lu <kangjielu@gmail.com> > > The stack object “tread” has a total size of 32 bytes. Its field > “event” and “val” both contain 4 bytes padding. These 8 bytes > padding bytes are sent to user without being initialized. > > Signed-off-by: Kangjie Lu <kjlu@gatech.edu> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > (cherry picked from commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e) > CVE-2016-4569 > BugLink: https://bugs.launchpad.net/bugs/1580379 > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > sound/core/timer.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/sound/core/timer.c b/sound/core/timer.c > index a82f82624247..f3b17e7f1cf9 100644 > --- a/sound/core/timer.c > +++ b/sound/core/timer.c > @@ -1714,6 +1714,7 @@ static int snd_timer_user_params(struct file *file, > if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { > if (tu->tread) { > struct snd_timer_tread tread; > + memset(&tread, 0, sizeof(tread)); > tread.event = SNDRV_TIMER_EVENT_EARLY; > tread.tstamp.tv_sec = 0; > tread.tstamp.tv_nsec = 0; > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/sound/core/timer.c b/sound/core/timer.c index a82f82624247..f3b17e7f1cf9 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -1714,6 +1714,7 @@ static int snd_timer_user_params(struct file *file, if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { if (tu->tread) { struct snd_timer_tread tread; + memset(&tread, 0, sizeof(tread)); tread.event = SNDRV_TIMER_EVENT_EARLY; tread.tstamp.tv_sec = 0; tread.tstamp.tv_nsec = 0;