From: Kangjie Lu Date: Tue, 3 May 2016 20:44:07 +0000 (-0400) Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS X-Git-Tag: submit/tizen/20171013.014523~35 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d48662cd025fbc0e79aff7f6802443f9694254cf;p=profile%2Fmobile%2Fplatform%2Fkernel%2Flinux-3.10-sc7730.git ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream. The stack object “tread” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. These 8 bytes padding bytes are sent to user without being initialized. Signed-off-by: Kangjie Lu Signed-off-by: Takashi Iwai Signed-off-by: Willy Tarreau [sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2016-4569] Signed-off-by: Seung-Woo Kim Change-Id: I6b1d724d95496f16248abcdcdbed2d3b2136b58f --- diff --git a/sound/core/timer.c b/sound/core/timer.c index 4e436fe..8c3871b 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -1683,6 +1683,7 @@ static int snd_timer_user_params(struct file *file, if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { if (tu->tread) { struct snd_timer_tread tread; + memset(&tread, 0, sizeof(tread)); tread.event = SNDRV_TIMER_EVENT_EARLY; tread.tstamp.tv_sec = 0; tread.tstamp.tv_nsec = 0;