mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-27 22:51:31 +00:00
Code Issues Releases Wiki Activity
linux-stable/sound
History
Peter Ujfalusi 896b03bb7c ASoC: SOF: ipc3-topology: Correct get_control_data for non bytes payload 
[ Upstream commit a962890a5a ]

It is possible to craft a topology where sof_get_control_data() would do
out of bounds access because it expects that it is only called when the
payload is bytes type.
Confusingly it also handles other types of controls, but the payload
parsing implementation is only valid for bytes.

Fix the code to count the non bytes controls and instead of storing a
pointer to sof_abi_hdr in sof_widget_data (which is only valid for bytes),
store the pointer to the data itself and add a new member to save the size
of the data.

In case of non bytes controls we store the pointer to the chanv itself,
which is just an array of values at the end.

In case of bytes control, drop the wrong cdata->data (wdata[i].pdata) check
against NULL since it is incorrect and invalid in this context.
The data is pointing to the end of cdata struct, so it should never be
null.

Reported-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Link: https://lore.kernel.org/r/20220427185221.28928-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-06-09 10:29:39 +02:00
..
ac97
aoa
arm
atmel
core ALSA: jack: Access input_dev under mutex 2022-06-09 10:29:34 +02:00
drivers ALSA: mtpav: Don't call card private_free at probe error path 2022-04-12 17:58:43 +02:00
firewire ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes 2022-04-25 08:03:49 +02:00
hda ALSA: hda: intel-dsp-config: Add RaptorLake PCI IDs 2022-04-21 21:22:51 +02:00
i2c
isa ALSA: wavefront: Proper check of get_user() error 2022-05-10 16:26:45 +02:00
mips ALSA: mips: Use platform_get_irq() to get the interrupt 2022-02-28 16:59:01 +01:00
oss sound/oss/dmasound: fix 'dmasound_setup' defined but not used 2022-04-15 09:17:37 +02:00
parisc
pci ALSA: hda/realtek - Fix microphone noise on ASUS TUF B550M-PLUS 2022-06-09 10:29:27 +02:00
pcmcia
ppc powerpc/machdep: Move sys_ctrler_t definition into pmac_feature.h 2022-02-07 21:02:20 +11:00
sh
soc ASoC: SOF: ipc3-topology: Correct get_control_data for non bytes payload 2022-06-09 10:29:39 +02:00
sparc ALSA: sparc: no need to initialise statics to 0 2021-12-12 10:01:04 +01:00
spi sound updates for 5.18 2022-03-23 15:11:12 -07:00
synth ALSA: synth: missing check for possible NULL after the call to kstrdup 2021-11-09 07:18:50 +01:00
usb ALSA: usb-audio: Cancel pending work at closing a MIDI substream 2022-06-09 10:29:27 +02:00
virtio virtio: wrap config->reset calls 2022-01-14 18:50:52 -05:00
x86 ALSA: intel_hdmi: Fix the missing snd_card_free() call at probe error 2022-04-12 17:58:35 +02:00
xen xen/grant-table: remove readonly parameter from functions 2022-03-15 20:34:40 -05:00
ac97_bus.c
Kconfig
last.c
Makefile
sound_core.c sound: core: Remove redundant variable and return the last statement 2022-02-28 17:57:14 +01:00