Received: by 10.192.165.148 with SMTP id m20csp1421177imm; Sat, 5 May 2018 11:39:13 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoGKjpohVUtCd9ovXuRfStREvJxZW/ipGuXs0wgaHjuNYxUwYd1SAFOYMZ3sD4vBR2iuIgN X-Received: by 2002:a17:902:294a:: with SMTP id g68-v6mr32640454plb.110.1525545553343; Sat, 05 May 2018 11:39:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525545553; cv=none; d=google.com; s=arc-20160816; b=whQzzNKkRTk8Z14zdTE5BKIgSQGMRyuwO1JqdQz5+kRgi8/hT+2jWnYexj4AS27TDn 8Nj27aj5XFB2wkT67pGyMpNbougUS/pEiSVjDuUBMcIudtA3xt+pigmaUr5OPFZMpgMi oelZ75i2nCby/jLh73rGs4NFVa90N+Nrs6bN2LvstQCkoD4kBIh4LrmRihwcsn80zzRY Gz1EJwyJEcXAOa9JvKRbubJ6RM/Gbe4bPNTpn6j5aeLaQA48GtIFz83hJ45tiGBKGtep ymfKxBqnXs3jpDeg5ehELCs8+O4bxPeLAu0N2SwdhoMePHvvFkqFraItesmSTyYQV59X +w0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=f7b8/2qZYVldJr3FSWQHilfD4QGF/VMJ+oReuwr4o2A=; b=HxgNmXT4LNXqDronAEomNqal5cwx4zz1AFW9FBGEn/ccS9QEzQx7MKnRfM3HHdd4Is Jq9+a2FH5V0gMFZQYrNbZj8yeEE8p8m4usl6+ybnyjUa7W0bAqFYG+pa4cXXT4Pi7QNn s14AH9XlUs90md73GN1zbTIiLZwOfS4GYXbiyDC2mmxrnunDykc8zb0rydTdlGgrjfw6 U6JwmqWOGxAjN8e0ZyHc+YhE0XdA1vvytvKjUcR+Lzj4SOB2B2N+S2h90o/TvxDITJoe QRS91VtRdue/AWf9VjB83KzoVM6cA/xyZMX1MDducC1JmrEBQhfftgvSZ8LkWYSKI5kX 2Gjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=KVzyAPHR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i62si19001681pfg.218.2018.05.05.11.38.57; Sat, 05 May 2018 11:39:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=KVzyAPHR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751807AbeEESiT (ORCPT + 99 others); Sat, 5 May 2018 14:38:19 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:58784 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751252AbeEESiR (ORCPT ); Sat, 5 May 2018 14:38:17 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 45DF0BA8 for ; Sat, 5 May 2018 18:38:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWugImCMWbqy for ; Sat, 5 May 2018 13:38:16 -0500 (CDT) Received: from mail-it0-f71.google.com (mail-it0-f71.google.com [209.85.214.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 1B163A62 for ; Sat, 5 May 2018 13:38:16 -0500 (CDT) Received: by mail-it0-f71.google.com with SMTP id o187-v6so5299247ito.2 for ; Sat, 05 May 2018 11:38:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=f7b8/2qZYVldJr3FSWQHilfD4QGF/VMJ+oReuwr4o2A=; b=KVzyAPHRtpjBzHkUDIql83sroJmTCb3xTqvhVSxzWsNK5EUz+8oe/eDufiPVUv0LHD uH98zDT/MQgM2T4z4lWSTHsizDqNuDxten5BGXq6cD2v7kz7e4HzkSObvVi8uIAYC5Mv UdHVqFdGmFN0Yo4O1ToP2CVtMlpWo4R5EEeW5vy14bq1NqIfH17lYLqkJxvbA6cPXtRA Fa4HzBSVrAkRrPZlbbpTl0sOq0mB4VdJooGyBNatSwMmwa9zyChW5umxI56yUfjoix4X aPBrfeh8W71t1DVJew0sPZm+UvQi1UC4O+uJfdMY/q18OJuTiWJ8ImiO/WumUonb6Vt+ N9kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=f7b8/2qZYVldJr3FSWQHilfD4QGF/VMJ+oReuwr4o2A=; b=T3gFfYitLV1X224HW17MHL8WmN6HTtUIO+ucTdNkLErJ1/hsPQU5ivk5jxXeXM9tcx slV6YB5d8d2LISOm+d127eQ3D2MQNfxxy1Zgo3IH6xRCbQY3pDx8XL9sSv5oWOCWmj8D rfs31ft7nSeIlxKAog4YPnrZ7n2KOU+jl/0soFKsRAAAyWFLdb8mYa0t5nv6+PGtZ4/K Izv2ciTXH9WQs+TbnaJzOMP7P9PgHmA+WghpaDE4IUPQl0T/Ite+HmnIqUsDoKRlM1PH S5v2HdYYpmKl0nDLB09orqOfuldKfOGtHL/a0Ksgt3XwE7OJPAsEtzj5y/t5hcyt81hB rK/g== X-Gm-Message-State: ALQs6tCciyl1iwtQVVwbkP1x/yietO9CtnUIySl2kNKysaLHJILVE682 sxFB/ZTdnLzysBdSf80VEkeLYa0d/zt5sefqZQ41ZskzeTxmqyLYZwmyuHNM1fawnKgktOTt4/h vhZ9HRKoLrvI/5gUnVZWCwTPWgEaY X-Received: by 2002:a24:db57:: with SMTP id c84-v6mr25166832itg.60.1525545495768; Sat, 05 May 2018 11:38:15 -0700 (PDT) X-Received: by 2002:a24:db57:: with SMTP id c84-v6mr25166823itg.60.1525545495561; Sat, 05 May 2018 11:38:15 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id o137-v6sm7952951ioe.3.2018.05.05.11.38.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 May 2018 11:38:14 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org (moderated list:SOUND), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] ALSA: control: fix a redundant-copy issue Date: Sat, 5 May 2018 13:38:03 -0500 Message-Id: <1525545485-12183-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In snd_ctl_elem_add_compat(), the fields of the struct 'data' need to be copied from the corresponding fields of the struct 'data32' in userspace. This is achieved by invoking copy_from_user() and get_user() functions. The problem here is that the 'type' field is copied twice. One is by copy_from_user() and one is by get_user(). Given that the 'type' field is not used between the two copies, the second copy is *completely* redundant and should be removed for better performance and cleanup. Also, these two copies can cause inconsistent data: as the struct 'data32' resides in userspace and a malicious userspace process can race to change the 'type' field between the two copies to cause inconsistent data. Depending on how the data is used in the future, such an inconsistency may cause potential security risks. For above reasons, we should take out the second copy. Signed-off-by: Wenwen Wang --- sound/core/control_compat.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c index a848836..507fd52 100644 --- a/sound/core/control_compat.c +++ b/sound/core/control_compat.c @@ -396,8 +396,7 @@ static int snd_ctl_elem_add_compat(struct snd_ctl_file *file, if (copy_from_user(&data->id, &data32->id, sizeof(data->id)) || copy_from_user(&data->type, &data32->type, 3 * sizeof(u32))) goto error; - if (get_user(data->owner, &data32->owner) || - get_user(data->type, &data32->type)) + if (get_user(data->owner, &data32->owner)) goto error; switch (data->type) { case SNDRV_CTL_ELEM_TYPE_BOOLEAN: -- 2.7.4