ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS

commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream.

The stack object â\80\9ctreadâ\80\9d has a total size of 32 bytes. Its field
â\80\9ceventâ\80\9d and â\80\9cvalâ\80\9d both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2016-4569]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I6b1d724d95496f16248abcdcdbed2d3b2136b58f

diff --git a/sound/core/timer.c b/sound/core/timer.c
index 4e436fe..8c3871b 100644 (file)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1683,6 +1683,7 @@ static int snd_timer_user_params(struct file *file,
        if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
                if (tu->tread) {
                        struct snd_timer_tread tread;
+                       memset(&tread, 0, sizeof(tread));
                        tread.event = SNDRV_TIMER_EVENT_EARLY;
                        tread.tstamp.tv_sec = 0;
                        tread.tstamp.tv_nsec = 0;