diff options
| author | Peter Ujfalusi <peter.ujfalusi@linux.intel.com> | 2026-06-09 11:34:56 +0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-06-09 20:41:12 +0300 |
| commit | 390aa4c9339bb0ec0bc8d554e830faf93ca9d49e (patch) | |
| tree | b3d2bc0649d55f14dbb5e10d1895ea8af756724c | |
| parent | 8791977d7289f6e9d2b014f60a5455f053a7bc04 (diff) | |
| download | linux-390aa4c9339bb0ec0bc8d554e830faf93ca9d49e.tar.xz | |
ASoC: SOF: ipc3-control: Validate size in snd_sof_update_control
In snd_sof_update_control(), firmware-provided cdata->num_elems is
checked against local_cdata->data->size but never against the actual
allocation size. If local_cdata->data->size was previously set to an
inconsistent value, the memcpy could write past the allocated buffer.
Add a bounds check to ensure num_elems fits within the available space
in the ipc_control_data allocation before copying.
Fixes: 10f461d79c2d ("ASoC: SOF: Add IPC3 topology control ops")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20260609083458.31193-5-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
| -rw-r--r-- | sound/soc/sof/ipc3-control.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sound/soc/sof/ipc3-control.c b/sound/soc/sof/ipc3-control.c index 23b0ae3ad414..4b907d8cf58a 100644 --- a/sound/soc/sof/ipc3-control.c +++ b/sound/soc/sof/ipc3-control.c @@ -535,6 +535,15 @@ static void snd_sof_update_control(struct snd_sof_control *scontrol, return; } + /* Verify the size fits within the allocation */ + if (cdata->num_elems > scontrol->max_size - sizeof(*local_cdata) - + sizeof(*local_cdata->data)) { + dev_err(scomp->dev, + "cdata binary size %u exceeds buffer\n", + cdata->num_elems); + return; + } + /* copy the new binary data */ memcpy(local_cdata->data, cdata->data, cdata->num_elems); } else if (cdata->num_elems != scontrol->num_channels) { |
