diff options
| author | Bhalchandra Gajare <gajare@codeaurora.org> | 2017-04-25 18:37:56 -0700 |
|---|---|---|
| committer | Bhalchandra Gajare <gajare@codeaurora.org> | 2017-04-26 17:29:27 -0700 |
| commit | 5779144880a9da2e0214878fc5f98e15c5441244 (patch) | |
| tree | d4588f7b43c3d2247078defca676b941625163a5 | |
| parent | 1c450066c7c30a84ab95adc8674833508418e4a3 (diff) | |
ASoC: msm-lsm-client: use kzalloc instead of kmalloc
In the ioctl function, driver allocates memory to store data
internally before calling copy_to_user to copy data to user-space.
It is possible that kernel internal information can be leaked to
user space through this if the allocated memory is not completely
overwritten with valid data. Use kzalloc to fix this.
CRs-fixed: 2026045
Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/msm-lsm-client.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c index 109e1a202ff2..1003dc8ddc5a 100644 --- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c +++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c @@ -1312,7 +1312,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, } size = sizeof(*user) + userarg32.payload_size; - user = kmalloc(size, GFP_KERNEL); + user = kzalloc(size, GFP_KERNEL); if (!user) { dev_err(rtd->dev, "%s: Allocation failed event status size %d\n", @@ -1333,7 +1333,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, err = -EFAULT; } if (!err) { - user32 = kmalloc(size, GFP_KERNEL); + user32 = kzalloc(size, GFP_KERNEL); if (!user32) { dev_err(rtd->dev, "%s: Allocation event user status size %d\n", @@ -1378,7 +1378,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, } size = sizeof(*user) + userarg32.payload_size; - user = kmalloc(size, GFP_KERNEL); + user = kzalloc(size, GFP_KERNEL); if (!user) { dev_err(rtd->dev, "%s: Allocation failed event status size %d\n", @@ -1398,7 +1398,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, err = -EFAULT; } if (!err) { - user32 = kmalloc(size, GFP_KERNEL); + user32 = kzalloc(size, GFP_KERNEL); if (!user32) { dev_err(rtd->dev, "%s: Allocation event user status size %d\n", @@ -1813,7 +1813,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, size = sizeof(struct snd_lsm_event_status) + userarg.payload_size; - user = kmalloc(size, GFP_KERNEL); + user = kzalloc(size, GFP_KERNEL); if (!user) { dev_err(rtd->dev, "%s: Allocation failed event status size %d\n", @@ -1874,7 +1874,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, size = sizeof(struct snd_lsm_event_status_v3) + userarg.payload_size; - user = kmalloc(size, GFP_KERNEL); + user = kzalloc(size, GFP_KERNEL); if (!user) { dev_err(rtd->dev, "%s: Allocation failed event status size %d\n", |