Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp881530yba; Wed, 24 Apr 2019 11:07:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqz+9uro5iWYNJ3+jqARp/UyNPUwl5XMZddP2a2urOD9ywiLXWG8CoTHtC5LBqYSm1Ee7m9v X-Received: by 2002:a17:902:1486:: with SMTP id k6mr34343825pla.208.1556129234796; Wed, 24 Apr 2019 11:07:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556129234; cv=none; d=google.com; s=arc-20160816; b=CZjswJIj4+51+NfGDqZ/jNlVsIXE4TfLUi9cWfUPUS+6FsspK1Tnwyf48oDI8DdskQ +jFL7UiYLro+2VkPg2hmt97v2CMr2hAvGtCnyxKGMamhQiSPQAhCe2uUubYMjfg1tdgu QQVKzf0xigvC2YxIpO7FIvOjV/cEzrZYNmaIEI7V8+PKxm8PYsEbblZ/Y8lRED7ytNNU UwDd2L6n9BLvV1jjTdWaJGd6aXzBubJK0uHMVQTdCQIW64i0W9A+Cnx1aBPXwv8mnYnL YDd+c85t82865BunVYdH1kWwhh9/93P6bJPCvG2f/lO3AaYwqD4h4U9UbcYIz3GdQvJw U04w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BqWluHXMqFDsO+Kv6yh2vv8r1JJ/xJDymVHdr2D+qjE=; b=Tw4/MN3/OC5tH/24PykjD7YkQqe+AJ4jUEzoYzLK4rRakXIXwmlxF2cf9v2Xjn6L7A vdRXov5ctGfe1FQ+GMn17Spz6Bmy4hgLpd8zFqSzbpah4XIJdcP+DmgvRwKQX4BF5U7B WtK6vD2GCw9Yr6m1OcKQ11srVhLYyQAybL5LdjEZAXKkiUKTTXr9TpU7s6j4g/prr78N cvf1Nbvxue7SHAxi3n2jCqMu6wr3mQFyPWLwRdxguGzhn3JfLZBHYsh1Ho4Dzch2R6Tz RlgoFVqGNinEoiOslMqiCAyoDnCi91oKVq7vsdm+REEMs9dVCOWKnp3mqgy9AzC0Qvf9 f7XQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uWxieMXl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d185si11704844pgc.590.2019.04.24.11.06.59; Wed, 24 Apr 2019 11:07:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uWxieMXl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389014AbfDXRTc (ORCPT + 99 others); Wed, 24 Apr 2019 13:19:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:44758 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388594AbfDXRTa (ORCPT ); Wed, 24 Apr 2019 13:19:30 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E8BE92190C; Wed, 24 Apr 2019 17:19:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556126369; bh=AiAas9CzoldVE1sCjQUkrwaG3fGgf9LVZs/f4IgRrpk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uWxieMXlozULmSSbX6/VvnNFYHMB6fljF+ApHWdYq6XsmCvJqvKbVHEagbGGtIoPD L2Ed44G0lnfH2hA/Q6ixxqU9oYm90haxGLXvdg0OUq+DrFBEuQP1XUxlXrfsf2nCvt wqbn7bFWgD1e3OWrGyB1DpaQfOK7R+wP5SOO2R50= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zubin Mithra , Guenter Roeck , Takashi Iwai Subject: [PATCH 4.4 087/168] ALSA: seq: Fix OOB-reads from strlcpy Date: Wed, 24 Apr 2019 19:08:51 +0200 Message-Id: <20190424170928.929796508@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170923.452349382@linuxfoundation.org> References: <20190424170923.452349382@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zubin Mithra commit 212ac181c158c09038c474ba68068be49caecebb upstream. When ioctl calls are made with non-null-terminated userspace strings, strlcpy causes an OOB-read from within strlen. Fix by changing to use strscpy instead. Signed-off-by: Zubin Mithra Reviewed-by: Guenter Roeck Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/seq_clientmgr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info /* fill the info fields */ if (client_info.name[0]) - strlcpy(client->name, client_info.name, sizeof(client->name)); + strscpy(client->name, client_info.name, sizeof(client->name)); client->filter = client_info.filter; client->event_lost = client_info.event_lost; @@ -1558,7 +1558,7 @@ static int snd_seq_ioctl_create_queue(st /* set queue name */ if (! info.name[0]) snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); - strlcpy(q->name, info.name, sizeof(q->name)); + strscpy(q->name, info.name, sizeof(q->name)); snd_use_lock_free(&q->use_lock); if (copy_to_user(arg, &info, sizeof(info))) @@ -1636,7 +1636,7 @@ static int snd_seq_ioctl_set_queue_info( queuefree(q); return -EPERM; } - strlcpy(q->name, info.name, sizeof(q->name)); + strscpy(q->name, info.name, sizeof(q->name)); queuefree(q); return 0;