* CVE-2025-39751: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control @ 2025-09-11 16:52 Greg Kroah-Hartman 2025-10-06 7:07 ` Siddh Raman Pant 0 siblings, 1 reply; 5+ messages in thread From: Greg Kroah-Hartman @ 2025-09-11 16:52 UTC (permalink / raw) To: linux-cve-announce; +Cc: Greg Kroah-Hartman From: Greg Kroah-Hartman <gregkh@kernel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte buffer if either string argument is too long. This triggers a compiler warning. Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent overflow. The Linux kernel CVE team has assigned CVE-2025-39751 to this issue. Affected and fixed versions =========================== Fixed in 5.4.297 with commit 04fa6f5e94034654da3505d9e908dd9090f0e83c Fixed in 5.10.241 with commit fb8116c38d67d6e23f3b5e34bbc8d9f8c12e81e5 Fixed in 5.15.190 with commit c2dacfe495b72699a9480c95f8eef2285042e474 Fixed in 6.1.149 with commit 86a024a5a521da362fb67a3a6a84f54331503326 Fixed in 6.6.103 with commit 0de69bc9b3661e16c4b08b34949529553906f5e1 Fixed in 6.12.43 with commit 417407cdf587e3ae41a0e728daa562ee88fc1bd6 Fixed in 6.15.11 with commit 195e4cec1007c34ddeb0ce61ef14ce9ab312544f Fixed in 6.16.2 with commit cf494138b9d7f78bcb510b9ea5f5faa6e882a7a3 Fixed in 6.17-rc1 with commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39751 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: sound/pci/hda/patch_ca0132.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/04fa6f5e94034654da3505d9e908dd9090f0e83c https://git.kernel.org/stable/c/fb8116c38d67d6e23f3b5e34bbc8d9f8c12e81e5 https://git.kernel.org/stable/c/c2dacfe495b72699a9480c95f8eef2285042e474 https://git.kernel.org/stable/c/86a024a5a521da362fb67a3a6a84f54331503326 https://git.kernel.org/stable/c/0de69bc9b3661e16c4b08b34949529553906f5e1 https://git.kernel.org/stable/c/417407cdf587e3ae41a0e728daa562ee88fc1bd6 https://git.kernel.org/stable/c/195e4cec1007c34ddeb0ce61ef14ce9ab312544f https://git.kernel.org/stable/c/cf494138b9d7f78bcb510b9ea5f5faa6e882a7a3 https://git.kernel.org/stable/c/a409c60111e6bb98fcabab2aeaa069daa9434ca0 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CVE-2025-39751: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control 2025-09-11 16:52 CVE-2025-39751: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Greg Kroah-Hartman @ 2025-10-06 7:07 ` Siddh Raman Pant 2025-10-06 8:14 ` gregkh 0 siblings, 1 reply; 5+ messages in thread From: Siddh Raman Pant @ 2025-10-06 7:07 UTC (permalink / raw) To: gregkh@linuxfoundation.org Cc: cve@kernel.org, linux-kernel@vger.kernel.org, gregkh@kernel.org [-- Attachment #1: Type: text/plain, Size: 673 bytes --] On Thu, 11 Sep 2025 18:52:52 +0200, Greg Kroah-Hartman wrote: > ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control > > The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte > buffer if either string argument is too long. This triggers a compiler > warning. > Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent > overflow. > > The Linux kernel CVE team has assigned CVE-2025-39751 to this issue. While the change is good for defensive reasons, there isn't actually any buffer overflow as it is to "fix". The largest string possible is "Wedge Angle Playback Volume", whose length is less than 44. Thanks, Siddh [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CVE-2025-39751: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control 2025-10-06 7:07 ` Siddh Raman Pant @ 2025-10-06 8:14 ` gregkh 2025-10-06 9:19 ` Siddh Raman Pant 0 siblings, 1 reply; 5+ messages in thread From: gregkh @ 2025-10-06 8:14 UTC (permalink / raw) To: Siddh Raman Pant; +Cc: cve@kernel.org, linux-kernel@vger.kernel.org On Mon, Oct 06, 2025 at 07:07:00AM +0000, Siddh Raman Pant wrote: > On Thu, 11 Sep 2025 18:52:52 +0200, Greg Kroah-Hartman wrote: > > ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control > > > > The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte > > buffer if either string argument is too long. This triggers a compiler > > warning. > > Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent > > overflow. > > > > The Linux kernel CVE team has assigned CVE-2025-39751 to this issue. > > While the change is good for defensive reasons, there isn't actually > any buffer overflow as it is to "fix". > > The largest string possible is "Wedge Angle Playback Volume", whose > length is less than 44. Thanks for the info. What was the compiler warning about then if it could detect just how big the string would always be as these are static values? Should this CVE be rejected? thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CVE-2025-39751: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control 2025-10-06 8:14 ` gregkh @ 2025-10-06 9:19 ` Siddh Raman Pant 2025-10-06 9:53 ` gregkh 0 siblings, 1 reply; 5+ messages in thread From: Siddh Raman Pant @ 2025-10-06 9:19 UTC (permalink / raw) To: gregkh@linuxfoundation.org; +Cc: cve@kernel.org, linux-kernel@vger.kernel.org [-- Attachment #1: Type: text/plain, Size: 1679 bytes --] On Mon, Oct 06 2025 at 13:44:23 +0530, gregkh@linuxfoundation.org wrote: > On Mon, Oct 06, 2025 at 07:07:00AM +0000, Siddh Raman Pant wrote: > > On Thu, 11 Sep 2025 18:52:52 +0200, Greg Kroah-Hartman wrote: > > > ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control > > > > > > The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte > > > buffer if either string argument is too long. This triggers a compiler > > > warning. > > > Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent > > > overflow. > > > > > > The Linux kernel CVE team has assigned CVE-2025-39751 to this issue. > > > > While the change is good for defensive reasons, there isn't actually > > any buffer overflow as it is to "fix". > > > > The largest string possible is "Wedge Angle Playback Volume", whose > > length is less than 44. > > Thanks for the info. What was the compiler warning about then if it > could detect just how big the string would always be as these are static > values? Probably a false positive. GCC docs does say: -Wformat-overflow -Wformat-overflow=level Warn about calls to formatted input/output functions such as sprintf and vsprintf that might overflow the destination buffer. When the exact number of bytes written by a format directive cannot be determined at compile-time it is estimated based on heuristics that depend on the level argument and on optimization. While enabling optimization will in most cases improve the accuracy of the warning, it may also result in false positives. > Should this CVE be rejected? Yes. Thanks, Siddh [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CVE-2025-39751: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control 2025-10-06 9:19 ` Siddh Raman Pant @ 2025-10-06 9:53 ` gregkh 0 siblings, 0 replies; 5+ messages in thread From: gregkh @ 2025-10-06 9:53 UTC (permalink / raw) To: Siddh Raman Pant; +Cc: cve@kernel.org, linux-kernel@vger.kernel.org On Mon, Oct 06, 2025 at 09:19:42AM +0000, Siddh Raman Pant wrote: > On Mon, Oct 06 2025 at 13:44:23 +0530, gregkh@linuxfoundation.org > wrote: > > On Mon, Oct 06, 2025 at 07:07:00AM +0000, Siddh Raman Pant wrote: > > > On Thu, 11 Sep 2025 18:52:52 +0200, Greg Kroah-Hartman wrote: > > > > ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control > > > > > > > > The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte > > > > buffer if either string argument is too long. This triggers a compiler > > > > warning. > > > > Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent > > > > overflow. > > > > > > > > The Linux kernel CVE team has assigned CVE-2025-39751 to this issue. > > > > > > While the change is good for defensive reasons, there isn't actually > > > any buffer overflow as it is to "fix". > > > > > > The largest string possible is "Wedge Angle Playback Volume", whose > > > length is less than 44. > > > > Thanks for the info. What was the compiler warning about then if it > > could detect just how big the string would always be as these are static > > values? > > Probably a false positive. > > GCC docs does say: > > -Wformat-overflow > -Wformat-overflow=level > > Warn about calls to formatted input/output functions such > as sprintf and vsprintf that might overflow the > destination > buffer. When the exact number of bytes written by a format > directive cannot be determined at compile-time it is > estimated based on heuristics that depend on the level > argument and on optimization. While enabling optimization > will in most cases improve the accuracy of the warning, it > may also result in false positives. I can't seem to duplicate this warning on a newer version of gcc than the original test used: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/ But that value of "767" is very specific, which feels odd to me. > > Should this CVE be rejected? > > Yes. Ok, will do, but this still seems odd, you should patch your kernel just to be safe :) thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-10-06 9:54 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-09-11 16:52 CVE-2025-39751: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Greg Kroah-Hartman 2025-10-06 7:07 ` Siddh Raman Pant 2025-10-06 8:14 ` gregkh 2025-10-06 9:19 ` Siddh Raman Pant 2025-10-06 9:53 ` gregkh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.