[PATCH v2] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs

Next message: Jiri Kosina: "Re: [PATCH 0/2] HID: appletb-kbd: fix UAF and mutex-in-atomic in inactivity timer"
Previous message: Selvamani Rajagopal: "RE: [PATCH net-next v2 4/9] net: phy: ncn26000: Support for internal phy for S2500"
Next in thread: Mark Brown: "Re: [PATCH v2] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yi Yang

Date: Tue May 12 2026 - 12:20:03 EST

The acoustic_ctl_write debugfs handler allocates a buffer via
memdup_user(from, count) but only validates that count is not too
large. It then accesses src[0] through src[6] without ensuring
count >= 7.

Add a minimum-size check of 7 bytes.

Signed-off-by: Yi Yang <yangyi@xxxxxxxxxxx>
Assisted-by: kimi-cli:kimi-k2.6
---
v2: fix the sign-off mail as well as using Latin version of my name in the mail, so they match.
---
sound/soc/codecs/tas2781-i2c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
index a78a8f9b9833..73e2c5b47f96 100644
--- a/sound/soc/codecs/tas2781-i2c.c
+++ b/sound/soc/codecs/tas2781-i2c.c
@@ -1529,8 +1529,8 @@ static ssize_t acoustic_ctl_write(struct file *file,
      unsigned short chn;
      int ret = -1;

- if (count > sizeof(*p)) {
- dev_err(priv->dev, "count(%u) is larger than max(%u).\n",
+ if (count > sizeof(*p) || count < 7) {
+ dev_err(priv->dev, "count(%u) out of range [7, %u].\n",
      (unsigned int)count, max_pkg_len);
      return ret;
      }
--
2.34.1