[PATCH 5.9 298/757] ASoC: SOF: control: add size checks for ext_bytes control .put()
From: Greg Kroah-Hartman
Date: Tue Oct 27 2020 - 11:41:40 EST
From: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx>
[ Upstream commit 2ca210112ad91880d2d5a3f85fecc838600afbce ]
Make sure the TLV header and size are consistent before copying from
userspace.
Fixes: c3078f5397046 ('ASoC: SOF: Add Sound Open Firmware KControl support')
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@xxxxxxxxxxxxxxx>
Reviewed-by: Guennadi Liakhovetski <guennadi.liakhovetski@xxxxxxxxxxxxxxx>
Signed-off-by: Kai Vehmanen <kai.vehmanen@xxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20200921110814.2910477-4-kai.vehmanen@xxxxxxxxxxxxxxx
Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
sound/soc/sof/control.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/sound/soc/sof/control.c b/sound/soc/sof/control.c
index 186eea105bb15..009938d45ddd9 100644
--- a/sound/soc/sof/control.c
+++ b/sound/soc/sof/control.c
@@ -298,6 +298,10 @@ int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol,
const struct snd_ctl_tlv __user *tlvd =
(const struct snd_ctl_tlv __user *)binary_data;
+ /* make sure we have at least a header */
+ if (size < sizeof(struct snd_ctl_tlv))
+ return -EINVAL;
+
/*
* The beginning of bytes data contains a header from where
* the length (as bytes) is needed to know the correct copy
@@ -306,6 +310,13 @@ int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol,
if (copy_from_user(&header, tlvd, sizeof(const struct snd_ctl_tlv)))
return -EFAULT;
+ /* make sure TLV info is consistent */
+ if (header.length + sizeof(struct snd_ctl_tlv) > size) {
+ dev_err_ratelimited(scomp->dev, "error: inconsistent TLV, data %d + header %zu > %d\n",
+ header.length, sizeof(struct snd_ctl_tlv), size);
+ return -EINVAL;
+ }
+
/* be->max is coming from topology */
if (header.length > be->max) {
dev_err_ratelimited(scomp->dev, "error: Bytes data size %d exceeds max %d.\n",
--
2.25.1