Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

From: Péter Ujfalusi

Date: Wed Jun 10 2026 - 12:19:36 EST




On 03/06/2026 20:57, Cássio Gabriel wrote:
> sof_parse_token_sets() reads array->size while iterating over topology
> private data. The loop condition only checks that some data remains, so a
> malformed topology with a truncated trailing vendor array can make the
> parser read the size field before a full vendor-array header is available.
>
> Validate that the remaining private data contains a complete
> snd_soc_tplg_vendor_array header before reading array->size.
>
> The declared array size check also needs to remain signed. asize is an int,
> but sizeof(*array) has type size_t, so comparing them directly promotes
> negative asize values to unsigned and lets them pass the check,
> as reported in the stable review thread reference below.
>
> Cast sizeof(*array) to int when validating the declared array size. This
> rejects negative, zero and otherwise too-small sizes before the parser
> dispatches to the tuple-specific code.
>
> Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@xxxxxxxxxxxxxx/t/#m9b3be379221e79327cc13fd71009287368ef4f23
> Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
> ---
> sound/soc/sof/topology.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 8fc7726aec29..bb6b981e55d1 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -740,10 +740,13 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
> int ret;
>
> while (array_size > 0 && total < count * token_instance_num) {
> + if (array_size < (int)sizeof(*array))
> + return -EINVAL;
> +
> asize = le32_to_cpu(array->size);
>
> /* validate asize */
> - if (asize < sizeof(*array)) {
> + if (asize < (int)sizeof(*array)) {
> dev_err(scomp->dev, "error: invalid array size 0x%x\n",
> asize);
> return -EINVAL;

I think this only partially right, I would cover a bit more:

diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 898b94f88706..b0d37ec2bc5e 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -12,6 +12,7 @@
#include <linux/device.h>
#include <linux/errno.h>
#include <linux/firmware.h>
+#include <linux/overflow.h>
#include <linux/workqueue.h>
#include <sound/tlv.h>
#include <uapi/sound/sof/tokens.h>
@@ -738,27 +739,43 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
size_t offset = 0;
int found = 0;
int total = 0;
+ int max_tokens;
int asize;
int ret;

- while (array_size > 0 && total < count * token_instance_num) {
+ if (check_mul_overflow(count, token_instance_num, &max_tokens)) {
+ dev_err(scomp->dev, "%s: token count overflow %d * %d\n",
+ __func__, count, token_instance_num);
+ return -EINVAL;
+ }
+
+ while (array_size > 0 && total < max_tokens) {
+ if (array_size < (int)sizeof(*array)) {
+ dev_err(scomp->dev,
+ "%s: invalid remaining array size %d\n",
+ __func__, array_size);
+ return -EINVAL;
+ }
+
asize = le32_to_cpu(array->size);

/* validate asize */
- if (asize < sizeof(*array)) {
- dev_err(scomp->dev, "error: invalid array size 0x%x\n",
- asize);
+ if (asize < (int)sizeof(*array)) {
+ dev_err(scomp->dev, "%s: vendor array too small %d\n",
+ __func__, asize);
return -EINVAL;
}

/* make sure there is enough data before parsing */
- array_size -= asize;
- if (array_size < 0) {
- dev_err(scomp->dev, "error: invalid array size 0x%x\n",
- asize);
+ if (asize > array_size) {
+ dev_err(scomp->dev,
+ "%s: vendor array size %d exceeds remaining data\n",
+ __func__, asize);
return -EINVAL;
}

+ array_size -= asize;
+
/* call correct parser depending on type */
switch (le32_to_cpu(array->type)) {
case SND_SOC_TPLG_TUPLE_TYPE_UUID:

>
> ---
> base-commit: bb451bc01ea42c9e47557638400708e20df34178
> change-id: 20260530-sof-topology-array-size-signed-06abdacb1cdc
>
> Best regards,
> --
> Cássio Gabriel <cassiogabrielcontato@xxxxxxxxx>
>

--
Péter