diff options
| author | Mark Brown <broonie@kernel.org> | 2026-06-09 20:41:15 +0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-06-09 20:41:15 +0300 |
| commit | 9f0b311829eb58e0a0541d356f651ba4399aa765 (patch) | |
| tree | 60e76846d0d70f9fdecf159170b5dd0d4d0d3dae /include/linux | |
| parent | 60a1646b38d4d03e4fbdcc2c3fbff8096f5ff406 (diff) | |
| parent | fd46668d538993218eea19c6925c868ac0f2630c (diff) | |
| download | linux-9f0b311829eb58e0a0541d356f651ba4399aa765.tar.xz | |
ASoC: SOF: ipc3/ipc4-control: harden kcontrol payload handling
Peter Ujfalusi <peter.ujfalusi@linux.intel.com> says:
This series hardens SOF kcontrol data paths for both IPC3 and IPC4 by
fixing size-handling bugs in put/get/update flows and tightening bounds
checks around firmware/user-provided payload lengths.
The changes include:
Fix TOCTOU-style size misuse in IPC3/IPC4 bytes put paths by validating and
using the incoming payload size.
Add notification/update payload size validation before parsing control data.
Use overflow-checked arithmetic when computing expected IPC3 control sizes.
Ensure update/copy bounds are validated against actual allocation limits.
Fix IPC3 bytes_ext bounds checks to account for struct header offset, closing
a heap overflow/over-read issue from unprivileged userspace TLV access.
Overall, the series makes control payload processing robust against malformed or
inconsistent sizes and prevents out-of-bounds accesses.
Link: https://patch.msgid.link/20260609083458.31193-1-peter.ujfalusi@linux.intel.com
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions
