Re: [PATCH] ASoC: SDCA: Validate written enum value in ge_put_enum_double()

Next message: Mukesh Ojha: "[PATCH 7/8] iommu/qcom: Enable clocks before hardware access in qcom_iommu_ctx_probe()"
Previous message: Pratyush Yadav: "Re: [PATCH v5 1/3] mm/memfd_luo: validate serialized_data before conversion"
In reply to: HyeongJun An: "[PATCH] ASoC: SDCA: Validate written enum value in ge_put_enum_double()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Charles Keepax

Date: Tue Jun 23 2026 - 08:22:47 EST

On Tue, Jun 23, 2026 at 08:05:26PM +0900, HyeongJun An wrote:
> ge_put_enum_double() passes the user-supplied enumeration index
> item[0] to snd_soc_enum_item_to_val() without checking it against the
> number of items in the enum:
>
> ret = snd_soc_enum_item_to_val(e, item[0]);
>
> snd_soc_enum_item_to_val() indexes the heap-allocated e->values[] array
> with that index (e->values is set from a devm_kcalloc() of e->items
> entries), so a control write with an out-of-range item[0] reads past the
> end of the values buffer. The bounds check in
> snd_soc_dapm_put_enum_double() only runs afterwards, so it does not
> prevent the read here.
>
> Reject an out-of-range item before using it, matching the other enum put
> handlers.
>
> This issue was pointed out by the Sashiko AI review bot while reviewing a
> related enum-validation series:
> https://lore.kernel.org/all/20260609125735.CEB651F00893@xxxxxxxxxxxxxxx/
>
> Fixes: 812ff1baa764 ("ASoC: SDCA: Limit values user can write to Selected Mode")
> Signed-off-by: HyeongJun An <sammiee5311@xxxxxxxxx>
> ---

Reviewed-by: Charles Keepax <ckeepax@xxxxxxxxxxxxxxxxxxxxx>

Thanks,
Charles