Re: [PATCH v2] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()

Next message: Micha&#x142; Winiarski: "Re: [PATCH] PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state()"
Previous message: Ben Horgan: "Re: [PATCH v1 1/2] arm_mpam: resctrl: Fix broken error path in mpam_resctrl_alloc_domain()"
In reply to: Ziqing Chen: "[PATCH v2] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Tue Apr 14 2026 - 09:35:31 EST

On Tue, 14 Apr 2026 15:24:37 +0200,
Ziqing Chen wrote:
>
> snd_ctl_elem_init_enum_names() advances pointer p through the names
> buffer while decrementing buf_len. If buf_len reaches zero but items
> remain, the next iteration calls strnlen(p, 0).
>
> While strnlen(p, 0) returns 0 and would hit the existing name_len == 0
> error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks
> maxlen against __builtin_dynamic_object_size(). When Clang loses track
> of p's object size inside the loop, this triggers a BRK exception panic
> before the return value is examined.
>
> Add a buf_len == 0 guard at the loop entry to prevent calling fortified
> strnlen() on an exhausted buffer.
>
> Found by kernel fuzz testing through Xiaomi Smartphone.
>
> Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Ziqing Chen <chenziqing@xxxxxxxxxx>

Applied now. Thanks.

Takashi