diff options
| author | HyeongJun An <sammiee5311@gmail.com> | 2026-06-23 14:05:26 +0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-06-23 16:46:15 +0300 |
| commit | 1ce42a11bed134903e352010a01fa53073a6b395 (patch) | |
| tree | 8b6722901544b10c10b0fcd685dc05586373ad4a /rust/zerocopy/src/pointer | |
| parent | a4fa646d30e71103e4496290f19198430da2ce5c (diff) | |
| download | linux-1ce42a11bed134903e352010a01fa53073a6b395.tar.xz | |
ASoC: SDCA: Validate written enum value in ge_put_enum_double()
ge_put_enum_double() passes the user-supplied enumeration index
item[0] to snd_soc_enum_item_to_val() without checking it against the
number of items in the enum:
ret = snd_soc_enum_item_to_val(e, item[0]);
snd_soc_enum_item_to_val() indexes the heap-allocated e->values[] array
with that index (e->values is set from a devm_kcalloc() of e->items
entries), so a control write with an out-of-range item[0] reads past the
end of the values buffer. The bounds check in
snd_soc_dapm_put_enum_double() only runs afterwards, so it does not
prevent the read here.
Reject an out-of-range item before using it, matching the other enum put
handlers.
This issue was pointed out by the Sashiko AI review bot while reviewing a
related enum-validation series:
https://lore.kernel.org/all/20260609125735.CEB651F00893@smtp.kernel.org/
Fixes: 812ff1baa764 ("ASoC: SDCA: Limit values user can write to Selected Mode")
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260623110526.813217-1-sammiee5311@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'rust/zerocopy/src/pointer')
0 files changed, 0 insertions, 0 deletions
