Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54e4f40d authored by Bhalchandra Gajare's avatar Bhalchandra Gajare Committed by Banajit Goswami
Browse files

ASoC: msm-lsm-client: use kzalloc instead of kmalloc 



In the ioctl function, driver allocates memory to store data
internally before calling copy_to_user to copy data to user-space.
It is possible that kernel internal information can be leaked to
user space through this if the allocated memory is not completely
overwritten with valid data. Use kzalloc to fix this.

CRs-fixed: 2026045
Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6
Signed-off-by: default avatarBhalchandra Gajare <gajare@codeaurora.org>
parent d8563757

sound/soc/msm/qdsp6v2/msm-lsm-client.c

+6 −6
Original line number Diff line number Diff line
@@ -1313,7 +1313,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		}



		size = sizeof(*user) + userarg32.payload_size;

		user = kmalloc(size, GFP_KERNEL);

		user = kzalloc(size, GFP_KERNEL);

		if (!user) {

			dev_err(rtd->dev,

				"%s: Allocation failed event status size %d\n",
@@ -1335,7 +1335,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			err = -EFAULT;

		}

		if (!err) {

			user32 = kmalloc(size, GFP_KERNEL);

			user32 = kzalloc(size, GFP_KERNEL);

			if (!user32) {

				dev_err(rtd->dev,

					"%s: Allocation event user status size %d\n",
@@ -1380,7 +1380,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
		}



		size = sizeof(*user) + userarg32.payload_size;

		user = kmalloc(size, GFP_KERNEL);

		user = kzalloc(size, GFP_KERNEL);

		if (!user) {

			dev_err(rtd->dev,

				"%s: Allocation failed event status size %d\n",
@@ -1400,7 +1400,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, 
			err = -EFAULT;

		}

		if (!err) {

			user32 = kmalloc(size, GFP_KERNEL);

			user32 = kzalloc(size, GFP_KERNEL);

			if (!user32) {

				dev_err(rtd->dev,

					"%s: Allocation event user status size %d\n",
@@ -1810,7 +1810,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 


		size = sizeof(struct snd_lsm_event_status) +

		userarg.payload_size;

		user = kmalloc(size, GFP_KERNEL);

		user = kzalloc(size, GFP_KERNEL);

		if (!user) {

			dev_err(rtd->dev,

				"%s: Allocation failed event status size %d\n",
@@ -1871,7 +1871,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, 


		size = sizeof(struct snd_lsm_event_status_v3) +

			userarg.payload_size;

		user = kmalloc(size, GFP_KERNEL);

		user = kzalloc(size, GFP_KERNEL);

		if (!user) {

			dev_err(rtd->dev,

				"%s: Allocation failed event status size %d\n",