ALSA: seq: Fix OOB-reads from strlcpy [Linux 3.16.72]

This Linux kernel change "ALSA: seq: Fix OOB-reads from strlcpy" is included in the Linux 3.16.72 release. This change is authored by Zubin Mithra <zsm [at] chromium.org> on Thu Apr 4 14:33:55 2019 -0700. The commit for this change in Linux stable tree is 5717589 (patch) which is from upstream commit 212ac18. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 212ac18.

ALSA: seq: Fix OOB-reads from strlcpy

commit 212ac181c158c09038c474ba68068be49caecebb upstream.

When ioctl calls are made with non-null-terminated userspace strings,
strlcpy causes an OOB-read from within strlen. Fix by changing to use
strscpy instead.

Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

There are 6 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 sound/core/seq/seq_clientmgr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 60fb2c7..f6396e0 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client,

    /* fill the info fields */
    if (client_info.name[0])
-       strlcpy(client->name, client_info.name, sizeof(client->name));
+       strscpy(client->name, client_info.name, sizeof(client->name));

    client->filter = client_info.filter;
    client->event_lost = client_info.event_lost;
@@ -1564,7 +1564,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client,
    /* set queue name */
    if (! info.name[0])
        snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue);
-   strlcpy(q->name, info.name, sizeof(q->name));
+   strscpy(q->name, info.name, sizeof(q->name));
    queuefree(q);

    if (copy_to_user(arg, &info, sizeof(info)))
@@ -1642,7 +1642,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client,
        queuefree(q);
        return -EPERM;
    }
-   strlcpy(q->name, info.name, sizeof(q->name));
+   strscpy(q->name, info.name, sizeof(q->name));
    queuefree(q);

    return 0;

Leave a Reply

Your email address will not be published. Required fields are marked *