diff options
| author | Peter Ujfalusi <peter.ujfalusi@linux.intel.com> | 2026-06-09 11:34:55 +0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-06-09 20:41:11 +0300 |
| commit | 8791977d7289f6e9d2b014f60a5455f053a7bc04 (patch) | |
| tree | 30b68d3cd19de2fd0effb814721e4edb890cb84a /include/linux/stackprotector.h | |
| parent | 5bdfeccb7fbf6e000fc783cd8412732e67c1ad0c (diff) | |
| download | linux-8791977d7289f6e9d2b014f60a5455f053a7bc04.tar.xz | |
ASoC: SOF: ipc3-control: Use overflow checks in control_update size calc
In sof_ipc3_control_update(), the expected_size calculation uses
firmware-provided cdata->num_elems in arithmetic that could overflow
on 32-bit platforms, wrapping to a small value. This would allow the
cdata->rhdr.hdr.size comparison to pass with mismatched sizes,
potentially leading to out-of-bounds access in snd_sof_update_control.
Use check_mul_overflow() and check_add_overflow() to detect and reject
overflowed size calculations.
Fixes: 10f461d79c2d ("ASoC: SOF: Add IPC3 topology control ops")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20260609083458.31193-4-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'include/linux/stackprotector.h')
0 files changed, 0 insertions, 0 deletions
