From: sashiko-bot@kernel.org
To: "HyeongJun An" <sammiee5311@gmail.com>
Cc: neil.armstrong@linaro.org, linux-amlogic@lists.infradead.org
Subject: Re: [PATCH 2/4] ASoC: meson: aiu: Validate written enum values
Date: Tue, 09 Jun 2026 12:57:35 +0000 [thread overview]
Message-ID: <20260609125735.CEB651F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260609124317.38046-3-sammiee5311@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing bounds check on user-supplied `item[0]` index leads to an out-of-bounds heap read when evaluating `snd_soc_enum_item_to_val`.
--
commit 9a6f223d3a43c4d946f46b956e844cde37d09bef
Author: HyeongJun An <sammiee5311@gmail.com>
ASoC: meson: aiu: Validate written enum values
This commit fixes missing bounds checking on user-supplied enumeration
values in the AIU HDMI and internal codec mux put callbacks before they
are passed to snd_soc_enum_item_to_val().
> diff --git a/sound/soc/meson/aiu-acodec-ctrl.c b/sound/soc/meson/aiu-acodec-ctrl.c
> index 483772ba69cd7..94c5d65335233 100644
> --- a/sound/soc/meson/aiu-acodec-ctrl.c
> +++ b/sound/soc/meson/aiu-acodec-ctrl.c
> @@ -36,6 +36,9 @@ static int aiu_acodec_ctrl_mux_put_enum(struct snd_kcontrol *kcontrol,
> struct soc_enum *e = (struct soc_enum *)kcontrol->private_value;
> unsigned int mux, changed;
>
> + if (ucontrol->value.enumerated.item[0] >= e->items)
> + return -EINVAL;
> +
[Severity: High]
This is a pre-existing issue, but while you are fixing missing enum
validations here, does sound/soc/sdca/sdca_asoc.c:ge_put_enum_double()
suffer from the exact same out-of-bounds read?
In ge_put_enum_double(), the user-supplied index item[0] is passed to
snd_soc_enum_item_to_val() without verifying if it is less than e->items:
ret = snd_soc_enum_item_to_val(e, item[0]);
Because e->values is dynamically allocated on the heap, an unchecked
large item[0] can read memory past the end of the values buffer. If this
out-of-bounds read hits an unmapped page, could it trigger a page fault
via the ALSA control interface?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609124317.38046-1-sammiee5311@gmail.com?part=2
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-06-09 12:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 12:43 [PATCH 0/4] ASoC: Validate written enum values in custom controls HyeongJun An
2026-06-09 12:43 ` [PATCH 1/4] ASoC: codecs: hdac_hdmi: Validate written enum value HyeongJun An
2026-06-09 12:43 ` [PATCH 2/4] ASoC: meson: aiu: Validate written enum values HyeongJun An
2026-06-09 12:43 ` HyeongJun An
2026-06-09 12:57 ` sashiko-bot [this message]
2026-06-09 12:43 ` [PATCH 3/4] ASoC: fsl: fsl_audmix: " HyeongJun An
2026-06-09 12:43 ` [PATCH 4/4] ASoC: tegra: tegra210_ahub: Validate written enum value HyeongJun An
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609125735.CEB651F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-amlogic@lists.infradead.org \
--cc=neil.armstrong@linaro.org \
--cc=sammiee5311@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.