Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[Cássio Gabriel Monteiro Pires]

Hi!

On 6/3/26 14:57, Cássio Gabriel wrote:
> sof_parse_token_sets() reads array->size while iterating over topology
> private data. The loop condition only checks that some data remains, so a
> malformed topology with a truncated trailing vendor array can make the
> parser read the size field before a full vendor-array header is available.
> 
> Validate that the remaining private data contains a complete
> snd_soc_tplg_vendor_array header before reading array->size.
> 
> The declared array size check also needs to remain signed. asize is an int,
> but sizeof(*array) has type size_t, so comparing them directly promotes
> negative asize values to unsigned and lets them pass the check,
> as reported in the stable review thread reference below.
> 
> Cast sizeof(*array) to int when validating the declared array size. This
> rejects negative, zero and otherwise too-small sizes before the parser
> dispatches to the tuple-specific code.
> 
> Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@xxxxxxxxxxxxxx/t/#m9b3be379221e79327cc13fd71009287368ef4f23
> Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
> ---
>  sound/soc/sof/topology.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 8fc7726aec29..bb6b981e55d1 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -740,10 +740,13 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
>  	int ret;
>  
>  	while (array_size > 0 && total < count * token_instance_num) {
> +		if (array_size < (int)sizeof(*array))
> +			return -EINVAL;
> +
>  		asize = le32_to_cpu(array->size);
>  
>  		/* validate asize */
> -		if (asize < sizeof(*array)) {
> +		if (asize < (int)sizeof(*array)) {
>  			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
>  				asize);
>  			return -EINVAL;
> 

Gentle ping on that fix.
Sorry for the noise.

-- 
Thanks,
Cássio

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature