From: Dan Carpenter <error27@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: hexlabsecurity@proton.me, Mark Greer <mgreer@animalcreek.com>,
Vaibhav Agarwal <vaibhav.sr@gmail.com>,
Johan Hovold <johan@kernel.org>,
linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev,
greybus-dev@lists.linaro.org, Alex Elder <elder@kernel.org>
Subject: Re: [PATCH] greybus: audio: bound the topology section sizes against the fetched size
Date: Tue, 16 Jun 2026 10:42:43 +0300 [thread overview]
Message-ID: <ajD-c6_n-ZSHAk_l@stanley.mountain> (raw)
In-Reply-To: <2026061643-crowbar-handgrip-620d@gregkh>
On Tue, Jun 16, 2026 at 12:01:30PM +0530, Greg Kroah-Hartman wrote:
> On Tue, Jun 16, 2026 at 01:06:12AM -0500, Bryam Vargas via B4 Relay wrote:
> > ---
> > drivers/staging/greybus/audio_gb.c | 13 +++++++++++++
> > 1 file changed, 13 insertions(+)
> >
> > diff --git a/drivers/staging/greybus/audio_gb.c b/drivers/staging/greybus/audio_gb.c
> > index 9d8994fdb41a..144591f1a512 100644
> > --- a/drivers/staging/greybus/audio_gb.c
> > +++ b/drivers/staging/greybus/audio_gb.c
> > @@ -37,6 +37,19 @@ int gb_audio_gb_get_topology(struct gb_connection *connection,
> > return ret;
> > }
> >
> > + /*
> > + * The size_* fields are supplied by the module and are used by
> > + * gbaudio_tplg_parse_data() to compute offsets into the blob; make
> > + * sure the sections fit within the fetched topology, so walking it
> > + * cannot read out of bounds.
> > + */
> > + if ((u64)le32_to_cpu(topo->size_dais) + le32_to_cpu(topo->size_controls) +
> > + le32_to_cpu(topo->size_widgets) + le32_to_cpu(topo->size_routes) >
> > + size - sizeof(*topo)) {
>
> Are you sure these checks will not overflow?
Yep. The cast to u64 ensures that.
regards,
dan carpenter
next prev parent reply other threads:[~2026-06-16 7:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 6:06 [PATCH] greybus: audio: bound the topology section sizes against the fetched size Bryam Vargas via B4 Relay
2026-06-16 6:06 ` Bryam Vargas
2026-06-16 6:31 ` Greg Kroah-Hartman
2026-06-16 7:42 ` Dan Carpenter [this message]
2026-06-16 8:16 ` Bryam Vargas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajD-c6_n-ZSHAk_l@stanley.mountain \
--to=error27@gmail.com \
--cc=elder@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=greybus-dev@lists.linaro.org \
--cc=hexlabsecurity@proton.me \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=mgreer@animalcreek.com \
--cc=vaibhav.sr@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.