[PATCH openEuler-22.03-LTS-SP1] ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event - Kernel

28 Oct 2024

From: Kees Cook keescook@chromium.org
mainline inclusion
from mainline-v6.1-rc7
commit 05530ef7cf7c7d700f6753f058999b1b5099a026
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRDZ
CVE: CVE-2022-48994
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed.
seq_copy_in_user() and seq_copy_in_kernel() did not have prototypes
matching snd_seq_dump_func_t. Adjust this and remove the casts. There
are not resulting binary output differences.
This was found as a result of Clang's new -Wcast-function-type-strict
flag, which is more sensitive than the simpler -Wcast-function-type,
which only checks for type width mismatches.
Reported-by: kernel test robot lkp@intel.com
Link: https://lore.kernel.org/lkml/202211041527.HD8TLSE1-lkp@intel.com
Cc: Jaroslav Kysela perex@perex.cz
Cc: Takashi Iwai tiwai@suse.com
Cc: "Gustavo A. R. Silva" gustavoars@kernel.org
Cc: alsa-devel@alsa-project.org
Signed-off-by: Kees Cook keescook@chromium.org
Link: https://lore.kernel.org/r/20221118232346.never.380-kees@kernel.org
Signed-off-by: Takashi Iwai tiwai@suse.de
Signed-off-by: Luo Gengkun luogengkun2@huawei.com
---
 sound/core/seq/seq_memory.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index 65db1a7c77b7..bb76a2dd0a2f 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -112,15 +112,19 @@ EXPORT_SYMBOL(snd_seq_dump_var_event);
  * expand the variable length event to linear buffer space.
  */
-static int seq_copy_in_kernel(char **bufptr, const void *src, int size)
+static int seq_copy_in_kernel(void *ptr, void *src, int size)
 {
+	char **bufptr = ptr;
+
    memcpy(*bufptr, src, size);
    *bufptr += size;
    return 0;
 }
-static int seq_copy_in_user(char __user **bufptr, const void *src, int size)
+static int seq_copy_in_user(void *ptr, void *src, int size)
 {
+	char __user **bufptr = ptr;
+
    if (copy_to_user(*bufptr, src, size))
    	return -EFAULT;
    *bufptr += size;
@@ -149,8 +153,7 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char
    	return newlen;
    }
    err = snd_seq_dump_var_event(event,
-				     in_kernel ? (snd_seq_dump_func_t)seq_copy_in_kernel :
-				     (snd_seq_dump_func_t)seq_copy_in_user,
+				     in_kernel ? seq_copy_in_kernel : seq_copy_in_user,
    			     &buf);
    return err < 0 ? err : newlen;
 }
-- 
2.34.1


    