diff options
| author | Peter Ujfalusi <peter.ujfalusi@linux.intel.com> | 2026-06-09 11:34:57 +0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-06-09 20:41:13 +0300 |
| commit | 1f97760417b5faa60e9642fd0ed61eb17d0b1b39 (patch) | |
| tree | 904c653469cc1fa005e49e0b7d6a904000e174d3 /include/linux/timerqueue.h | |
| parent | 390aa4c9339bb0ec0bc8d554e830faf93ca9d49e (diff) | |
| download | linux-1f97760417b5faa60e9642fd0ed61eb17d0b1b39.tar.xz | |
ASoC: SOF: ipc3-control: Fix TOCTOU in bytes_put and bytes_get
In sof_ipc3_bytes_put(), the size used for the memcpy is derived from
the old data->size already in the buffer, not the incoming new data's
size field. If the new data has a different size, the copy length is
wrong: it may truncate valid data or copy stale bytes.
Similarly, sof_ipc3_bytes_get() checks data->size against max_size
without accounting for the sizeof(struct sof_ipc_ctrl_data) offset
of the flex array within the allocation.
Fix bytes_put to validate and use the incoming data's sof_abi_hdr.size
from ucontrol before copying. Fix bytes_get to subtract sizeof(*cdata)
from the bounds check to match the actual available space.
Fixes: 544ac8858f24 ("ASoC: SOF: Add bytes_get/put control IPC ops for IPC3")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20260609083458.31193-6-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'include/linux/timerqueue.h')
0 files changed, 0 insertions, 0 deletions
