diff options
| author | HyeongJun An <sammiee5311@gmail.com> | 2026-06-24 08:38:40 +0900 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2026-06-24 11:03:25 +0200 |
| commit | 435990e25bf1f4af3e6df12a6fbfd1f7ba4a97d4 (patch) | |
| tree | d872ee4789c40da8473b17177f12396921fb5c31 /include/linux | |
| parent | e0ecb324246be9cf3a0689346a658e48a38546b2 (diff) | |
ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()
snd_seq_event_dup() copies an incoming event into a pool cell and, in
the UMP-enabled build, clears the trailing cell->ump.raw.extra word that
the memcpy() did not cover. The guard deciding whether to clear it
compares the copied size against sizeof(cell->event):
memcpy(&cell->ump, event, size);
if (size < sizeof(cell->event))
cell->ump.raw.extra = 0;
For a legacy (non-UMP) event, size == sizeof(struct snd_seq_event) ==
sizeof(cell->event), so the condition is false and the extra word keeps
stale data. The cell pool is allocated with kvmalloc() (not zeroed) and
cells are reused via a free list, so that word holds uninitialised heap
or leftover event data.
When such a cell is delivered to a UMP client (client->midi_version > 0)
that set SNDRV_SEQ_FILTER_NO_CONVERT -- so the legacy event reaches it
unconverted -- snd_seq_read() reads it out as the larger struct
snd_seq_ump_event and copies the stale word to user space, a 4-byte
kernel heap infoleak to an unprivileged /dev/snd/seq client.
Compare against sizeof(cell->ump) instead, so the trailing word is zeroed
for every event shorter than the UMP cell.
Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Link: https://patch.msgid.link/20260623233841.853326-1-sammiee5311@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions