diff options
| author | Peter Ujfalusi <peter.ujfalusi@linux.intel.com> | 2026-06-09 11:34:53 +0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-06-09 20:41:09 +0300 |
| commit | 3ad673e7139cf214afd24321a829aad6575f4163 (patch) | |
| tree | 143f2edb51ff2ede04b19e0add1d5425e63ecf0c /include/linux/debugobjects.h | |
| parent | 60a1646b38d4d03e4fbdcc2c3fbff8096f5ff406 (diff) | |
| download | linux-3ad673e7139cf214afd24321a829aad6575f4163.tar.xz | |
ASoC: SOF: ipc4-control: Fix TOCTOU in sof_ipc4_bytes_put
In sof_ipc4_bytes_put(), the copy size is derived from the old
data->size in the buffer rather than the incoming new data's size
field from ucontrol. If the new data has a different size, the copy
uses the wrong length: it may truncate valid data or copy stale bytes.
Fix by validating and using the incoming data's sof_abi_hdr.size from
ucontrol before copying.
Fixes: a062c8899fed ("ASoC: SOF: ipc4-control: Add support for bytes control get and put")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20260609083458.31193-2-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'include/linux/debugobjects.h')
0 files changed, 0 insertions, 0 deletions
