From patchwork Mon Dec 12 13:19:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 633559 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id F11F0C4332F for ; Mon, 12 Dec 2022 13:55:48 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 2342429C1; Mon, 12 Dec 2022 14:54:57 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 2342429C1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1670853347; bh=erx4mekDg9iblF1wO5yq7GtbKAKHxTvYsT67M7AkDa8=; h=From:To:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Cc:From; b=DZ2hXrLwh8GnE/5YyLl3bIbwdKQUsO2Ltuv6HYTcKw/Wak/g2Ng+olqJoAL5la9ho YIQSC1ikio+6ZrjRdwWxR05dnWIM3skx4xen6c1cVZMrLo/rRk26a/nMin+tR5uGFG +hD9kt+czJYYL3RP+7AEzcSqt2mBF9h0WmJFvKT8= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id D2575F80494; Mon, 12 Dec 2022 14:54:56 +0100 (CET) Received: by alsa1.perex.cz (Postfix, from userid 50401) id AC9A8F80115; Mon, 12 Dec 2022 14:54:55 +0100 (CET) Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id 194ADF80115 for ; Mon, 12 Dec 2022 14:54:53 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 194ADF80115 Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key, unprotected) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.a=rsa-sha256 header.s=korg header.b=m8TT0nFu Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id ADE74610A7; Mon, 12 Dec 2022 13:54:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D58EC433D2; Mon, 12 Dec 2022 13:54:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1670853292; bh=erx4mekDg9iblF1wO5yq7GtbKAKHxTvYsT67M7AkDa8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m8TT0nFufF20H9xlTndK7Fz/MIHmTjUiohkTvwmNrlZyVm1B97pzBNWiiUnSHDfUG SeOsrBm3bipHrN1N4SfG8GUdEn3olwGVBIZoZoqsqAPQqZR3UPB8dhQuQDePZN+IpU XiSmkR83aTiV+WekPgBy7tUoE2nNDvHEEMXRzhiM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Subject: [PATCH 4.9 04/31] ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event Date: Mon, 12 Dec 2022 14:19:22 +0100 Message-Id: <20221212130910.180549087@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221212130909.943483205@linuxfoundation.org> References: <20221212130909.943483205@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sasha Levin , alsa-devel@alsa-project.org, "Gustavo A. R. Silva" , kernel test robot , Takashi Iwai , Greg Kroah-Hartman , Takashi Iwai , patches@lists.linux.dev, Kees Cook Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" From: Kees Cook [ Upstream commit 05530ef7cf7c7d700f6753f058999b1b5099a026 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. seq_copy_in_user() and seq_copy_in_kernel() did not have prototypes matching snd_seq_dump_func_t. Adjust this and remove the casts. There are not resulting binary output differences. This was found as a result of Clang's new -Wcast-function-type-strict flag, which is more sensitive than the simpler -Wcast-function-type, which only checks for type width mismatches. Reported-by: kernel test robot Link: https://lore.kernel.org/lkml/202211041527.HD8TLSE1-lkp@intel.com Cc: Jaroslav Kysela Cc: Takashi Iwai Cc: "Gustavo A. R. Silva" Cc: alsa-devel@alsa-project.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221118232346.never.380-kees@kernel.org Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- sound/core/seq/seq_memory.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c index 4c8cbcd89887..42f4aa841051 100644 --- a/sound/core/seq/seq_memory.c +++ b/sound/core/seq/seq_memory.c @@ -126,15 +126,19 @@ EXPORT_SYMBOL(snd_seq_dump_var_event); * expand the variable length event to linear buffer space. */ -static int seq_copy_in_kernel(char **bufptr, const void *src, int size) +static int seq_copy_in_kernel(void *ptr, void *src, int size) { + char **bufptr = ptr; + memcpy(*bufptr, src, size); *bufptr += size; return 0; } -static int seq_copy_in_user(char __user **bufptr, const void *src, int size) +static int seq_copy_in_user(void *ptr, void *src, int size) { + char __user **bufptr = ptr; + if (copy_to_user(*bufptr, src, size)) return -EFAULT; *bufptr += size; @@ -163,8 +167,7 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char return newlen; } err = snd_seq_dump_var_event(event, - in_kernel ? (snd_seq_dump_func_t)seq_copy_in_kernel : - (snd_seq_dump_func_t)seq_copy_in_user, + in_kernel ? seq_copy_in_kernel : seq_copy_in_user, &buf); return err < 0 ? err : newlen; }