* [PATCH] ASoC: SDCA: Validate written enum value in ge_put_enum_double()
@ 2026-06-23 11:05 HyeongJun An
2026-06-23 12:20 ` Charles Keepax
0 siblings, 1 reply; 2+ messages in thread
From: HyeongJun An @ 2026-06-23 11:05 UTC (permalink / raw)
To: Mark Brown, Liam Girdwood, Charles Keepax, Maciej Strozek
Cc: Bard Liao, Pierre-Louis Bossart, Jaroslav Kysela, Takashi Iwai,
linux-sound, linux-kernel, HyeongJun An
ge_put_enum_double() passes the user-supplied enumeration index
item[0] to snd_soc_enum_item_to_val() without checking it against the
number of items in the enum:
ret = snd_soc_enum_item_to_val(e, item[0]);
snd_soc_enum_item_to_val() indexes the heap-allocated e->values[] array
with that index (e->values is set from a devm_kcalloc() of e->items
entries), so a control write with an out-of-range item[0] reads past the
end of the values buffer. The bounds check in
snd_soc_dapm_put_enum_double() only runs afterwards, so it does not
prevent the read here.
Reject an out-of-range item before using it, matching the other enum put
handlers.
This issue was pointed out by the Sashiko AI review bot while reviewing a
related enum-validation series:
https://lore.kernel.org/all/20260609125735.CEB651F00893@smtp.kernel.org/
Fixes: 812ff1baa764 ("ASoC: SDCA: Limit values user can write to Selected Mode")
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
sound/soc/sdca/sdca_asoc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/sdca/sdca_asoc.c b/sound/soc/sdca/sdca_asoc.c
index e76afa396b0a..b4dedba719dc 100644
--- a/sound/soc/sdca/sdca_asoc.c
+++ b/sound/soc/sdca/sdca_asoc.c
@@ -160,6 +160,9 @@ static int ge_put_enum_double(struct snd_kcontrol *kcontrol,
unsigned int reg = e->reg;
int ret;
+ if (item[0] >= e->items)
+ return -EINVAL;
+
reg &= ~SDW_SDCA_CTL_CSEL(0x3F);
reg |= SDW_SDCA_CTL_CSEL(SDCA_CTL_GE_DETECTED_MODE);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] ASoC: SDCA: Validate written enum value in ge_put_enum_double()
2026-06-23 11:05 [PATCH] ASoC: SDCA: Validate written enum value in ge_put_enum_double() HyeongJun An
@ 2026-06-23 12:20 ` Charles Keepax
0 siblings, 0 replies; 2+ messages in thread
From: Charles Keepax @ 2026-06-23 12:20 UTC (permalink / raw)
To: HyeongJun An
Cc: Mark Brown, Liam Girdwood, Maciej Strozek, Bard Liao,
Pierre-Louis Bossart, Jaroslav Kysela, Takashi Iwai, linux-sound,
linux-kernel
On Tue, Jun 23, 2026 at 08:05:26PM +0900, HyeongJun An wrote:
> ge_put_enum_double() passes the user-supplied enumeration index
> item[0] to snd_soc_enum_item_to_val() without checking it against the
> number of items in the enum:
>
> ret = snd_soc_enum_item_to_val(e, item[0]);
>
> snd_soc_enum_item_to_val() indexes the heap-allocated e->values[] array
> with that index (e->values is set from a devm_kcalloc() of e->items
> entries), so a control write with an out-of-range item[0] reads past the
> end of the values buffer. The bounds check in
> snd_soc_dapm_put_enum_double() only runs afterwards, so it does not
> prevent the read here.
>
> Reject an out-of-range item before using it, matching the other enum put
> handlers.
>
> This issue was pointed out by the Sashiko AI review bot while reviewing a
> related enum-validation series:
> https://lore.kernel.org/all/20260609125735.CEB651F00893@smtp.kernel.org/
>
> Fixes: 812ff1baa764 ("ASoC: SDCA: Limit values user can write to Selected Mode")
> Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
> ---
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Thanks,
Charles
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-23 12:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-23 11:05 [PATCH] ASoC: SDCA: Validate written enum value in ge_put_enum_double() HyeongJun An
2026-06-23 12:20 ` Charles Keepax
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.