[PATCH] ASoC: max9759: fix underflow in speaker_gain_control_put()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Liam Girdwood <lgirdwood@gmail.com>,
	Neil Armstrong <narmstrong@baylibre.com>
Cc: alsa-devel@alsa-project.org,
	Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>,
	kernel-janitors@vger.kernel.org, Takashi Iwai <tiwai@suse.com>,
	Mark Brown <broonie@kernel.org>
Subject: [PATCH] ASoC: max9759: fix underflow in speaker_gain_control_put()
Date: Wed, 19 Jan 2022 15:31:01 +0300	[thread overview]
Message-ID: <20220119123101.GA9509@kili> (raw)

Check for negative values of "priv->gain" to prevent an out of bounds
access.  The concern is that these might come from the user via:
  -> snd_ctl_elem_write_user()
    -> snd_ctl_elem_write()
      -> kctl->put()

Fixes: fa8d915172b8 ("ASoC: max9759: Add Amplifier Driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
From static analysis.  Not tested.

This patch is obviously harmless but I sometimes get confused about
these sound get()/put() functions.  I have some code in Smatch which is
supposed to manually suppress warnings from snd_ctl_elem_write() but it
was four years old and has bitrotted so that's how I got this warning.

So I remember these as being false positives where Smatch gets confused
but when I searched my mailbox I just see similar patches which were
applied.

 sound/soc/codecs/max9759.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/soc/codecs/max9759.c b/sound/soc/codecs/max9759.c
index d75fd61b9032..bc57d7687f16 100644
--- a/sound/soc/codecs/max9759.c
+++ b/sound/soc/codecs/max9759.c
@@ -64,7 +64,8 @@ static int speaker_gain_control_put(struct snd_kcontrol *kcontrol,
 	struct snd_soc_component *c = snd_soc_kcontrol_component(kcontrol);
 	struct max9759 *priv = snd_soc_component_get_drvdata(c);
 
-	if (ucontrol->value.integer.value[0] > 3)
+	if (ucontrol->value.integer.value[0] < 0 ||
+	    ucontrol->value.integer.value[0] > 3)
 		return -EINVAL;
 
 	priv->gain = ucontrol->value.integer.value[0];
-- 
2.20.1

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Liam Girdwood <lgirdwood@gmail.com>,
	Neil Armstrong <narmstrong@baylibre.com>
Cc: Mark Brown <broonie@kernel.org>, Jaroslav Kysela <perex@perex.cz>,
	Takashi Iwai <tiwai@suse.com>,
	Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>,
	alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] ASoC: max9759: fix underflow in speaker_gain_control_put()
Date: Wed, 19 Jan 2022 15:31:01 +0300	[thread overview]
Message-ID: <20220119123101.GA9509@kili> (raw)

Check for negative values of "priv->gain" to prevent an out of bounds
access.  The concern is that these might come from the user via:
  -> snd_ctl_elem_write_user()
    -> snd_ctl_elem_write()
      -> kctl->put()

Fixes: fa8d915172b8 ("ASoC: max9759: Add Amplifier Driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
From static analysis.  Not tested.

This patch is obviously harmless but I sometimes get confused about
these sound get()/put() functions.  I have some code in Smatch which is
supposed to manually suppress warnings from snd_ctl_elem_write() but it
was four years old and has bitrotted so that's how I got this warning.

So I remember these as being false positives where Smatch gets confused
but when I searched my mailbox I just see similar patches which were
applied.

 sound/soc/codecs/max9759.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/soc/codecs/max9759.c b/sound/soc/codecs/max9759.c
index d75fd61b9032..bc57d7687f16 100644
--- a/sound/soc/codecs/max9759.c
+++ b/sound/soc/codecs/max9759.c
@@ -64,7 +64,8 @@ static int speaker_gain_control_put(struct snd_kcontrol *kcontrol,
 	struct snd_soc_component *c = snd_soc_kcontrol_component(kcontrol);
 	struct max9759 *priv = snd_soc_component_get_drvdata(c);
 
-	if (ucontrol->value.integer.value[0] > 3)
+	if (ucontrol->value.integer.value[0] < 0 ||
+	    ucontrol->value.integer.value[0] > 3)
 		return -EINVAL;
 
 	priv->gain = ucontrol->value.integer.value[0];
-- 
2.20.1

next             reply	other threads:[~2022-01-19 12:32 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-19 12:31 Dan Carpenter [this message]
2022-01-19 12:31 ` [PATCH] ASoC: max9759: fix underflow in speaker_gain_control_put() Dan Carpenter
2022-01-19 18:02 ` Mark Brown
2022-01-19 18:02   ` Mark Brown

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d75fd61b903 dfblob:bc57d7687f1 dfblob:d75fd61b903
dfblob:bc57d7687f1 )
 OR (
bs:"[PATCH] ASoC: max9759: fix underflow in speaker_gain_control_put()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220119123101.GA9509@kili \
    --to=dan.carpenter@oracle.com \
    --cc=alsa-devel@alsa-project.org \
    --cc=broonie@kernel.org \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=kuninori.morimoto.gx@renesas.com \
    --cc=lgirdwood@gmail.com \
    --cc=narmstrong@baylibre.com \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.