ACK: [CVE-2016-4569][precise, trusty, lts-u, vivid, wily, xenial, yakkety] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS

[Christopher Arges]

On Wed, May 25, 2016 at 04:15:21PM +0100, Luis Henriques wrote:
> From: Kangjie Lu <kangjielu at gmail.com>
> 
> The stack object “tread” has a total size of 32 bytes. Its field
> “event” and “val” both contain 4 bytes padding. These 8 bytes
> padding bytes are sent to user without being initialized.
> 
> Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
> Signed-off-by: Takashi Iwai <tiwai at suse.de>
> (cherry picked from commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e)
> CVE-2016-4569
> BugLink: https://bugs.launchpad.net/bugs/1580379
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  sound/core/timer.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/sound/core/timer.c b/sound/core/timer.c
> index a82f82624247..f3b17e7f1cf9 100644
> --- a/sound/core/timer.c
> +++ b/sound/core/timer.c
> @@ -1714,6 +1714,7 @@ static int snd_timer_user_params(struct file *file,
>  	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
>  		if (tu->tread) {
>  			struct snd_timer_tread tread;
> +			memset(&tread, 0, sizeof(tread));
>  			tread.event = SNDRV_TIMER_EVENT_EARLY;
>  			tread.tstamp.tv_sec = 0;
>  			tread.tstamp.tv_nsec = 0;
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team