[PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[Cássio Gabriel]

sof_parse_token_sets() reads array->size while iterating over topology
private data. The loop condition only checks that some data remains, so a
malformed topology with a truncated trailing vendor array can make the
parser read the size field before a full vendor-array header is available.

Validate that the remaining private data contains a complete
snd_soc_tplg_vendor_array header before reading array->size.

The declared array size check also needs to remain signed. asize is an int,
but sizeof(*array) has type size_t, so comparing them directly promotes
negative asize values to unsigned and lets them pass the check,
as reported in the stable review thread reference below.

Cast sizeof(*array) to int when validating the declared array size. This
rejects negative, zero and otherwise too-small sizes before the parser
dispatches to the tuple-specific code.

Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@mail.gmail.com/t/#m9b3be379221e79327cc13fd71009287368ef4f23
Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/soc/sof/topology.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 8fc7726aec29..bb6b981e55d1 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -740,10 +740,13 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
 	int ret;
 
 	while (array_size > 0 && total < count * token_instance_num) {
+		if (array_size < (int)sizeof(*array))
+			return -EINVAL;
+
 		asize = le32_to_cpu(array->size);
 
 		/* validate asize */
-		if (asize < sizeof(*array)) {
+		if (asize < (int)sizeof(*array)) {
 			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
 				asize);
 			return -EINVAL;

---
base-commit: bb451bc01ea42c9e47557638400708e20df34178
change-id: 20260530-sof-topology-array-size-signed-06abdacb1cdc

Best regards,
--  
Cássio Gabriel <cassiogabrielcontato@gmail.com>

Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[Mark Brown]

On Wed, 03 Jun 2026 14:57:54 -0300, Cássio Gabriel wrote:
> ASoC: SOF: topology: validate vendor array size before parsing

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-7.2

Thanks!

[1/1] ASoC: SOF: topology: validate vendor array size before parsing
      https://git.kernel.org/broonie/sound/c/8468dd79cfb2

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[Cássio Gabriel Monteiro Pires]

[-- Attachment #1.1: Type: text/plain, Size: 2175 bytes --]

Hi!

On 6/3/26 14:57, Cássio Gabriel wrote:
> sof_parse_token_sets() reads array->size while iterating over topology
> private data. The loop condition only checks that some data remains, so a
> malformed topology with a truncated trailing vendor array can make the
> parser read the size field before a full vendor-array header is available.
> 
> Validate that the remaining private data contains a complete
> snd_soc_tplg_vendor_array header before reading array->size.
> 
> The declared array size check also needs to remain signed. asize is an int,
> but sizeof(*array) has type size_t, so comparing them directly promotes
> negative asize values to unsigned and lets them pass the check,
> as reported in the stable review thread reference below.
> 
> Cast sizeof(*array) to int when validating the declared array size. This
> rejects negative, zero and otherwise too-small sizes before the parser
> dispatches to the tuple-specific code.
> 
> Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@mail.gmail.com/t/#m9b3be379221e79327cc13fd71009287368ef4f23
> Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
> Cc: stable@vger.kernel.org
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ---
>  sound/soc/sof/topology.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 8fc7726aec29..bb6b981e55d1 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -740,10 +740,13 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
>  	int ret;
>  
>  	while (array_size > 0 && total < count * token_instance_num) {
> +		if (array_size < (int)sizeof(*array))
> +			return -EINVAL;
> +
>  		asize = le32_to_cpu(array->size);
>  
>  		/* validate asize */
> -		if (asize < sizeof(*array)) {
> +		if (asize < (int)sizeof(*array)) {
>  			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
>  				asize);
>  			return -EINVAL;
> 

Gentle ping on that fix.
Sorry for the noise.

-- 
Thanks,
Cássio


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 899 bytes --]

On Wed, Jun 10, 2026 at 11:27:25AM -0300, Cássio Gabriel Monteiro Pires wrote:

> Gentle ping on that fix.
> Sorry for the noise.

Please don't send content free pings and please allow a reasonable time
for review.  People get busy, go on holiday, attend conferences and so 
on so unless there is some reason for urgency (like critical bug fixes)
please allow at least a couple of weeks for review.  If there have been
review comments then people may be waiting for those to be addressed.

Sending content free pings adds to the mail volume (if they are seen at
all) which is often the problem and since they can't be reviewed
directly if something has gone wrong you'll have to resend the patches
anyway, so sending again is generally a better approach though there are
some other maintainers who like them - if in doubt look at how patches
for the subsystem are normally handled.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[Cássio Gabriel Monteiro Pires]

[-- Attachment #1.1: Type: text/plain, Size: 940 bytes --]

On 6/10/26 12:22, Mark Brown wrote:
> Please don't send content free pings and please allow a reasonable time
> for review.  People get busy, go on holiday, attend conferences and so 
> on so unless there is some reason for urgency (like critical bug fixes)
> please allow at least a couple of weeks for review.  If there have been
> review comments then people may be waiting for those to be addressed.
> 
> Sending content free pings adds to the mail volume (if they are seen at
> all) which is often the problem and since they can't be reviewed
> directly if something has gone wrong you'll have to resend the patches
> anyway, so sending again is generally a better approach though there are
> some other maintainers who like them - if in doubt look at how patches
> for the subsystem are normally handled.

Okay, thank you for the advice as I am still
getting used to how this subsystem operates. 

Regards,
Cássio

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[Péter Ujfalusi]

On 03/06/2026 20:57, Cássio Gabriel wrote:
> sof_parse_token_sets() reads array->size while iterating over topology
> private data. The loop condition only checks that some data remains, so a
> malformed topology with a truncated trailing vendor array can make the
> parser read the size field before a full vendor-array header is available.
> 
> Validate that the remaining private data contains a complete
> snd_soc_tplg_vendor_array header before reading array->size.
> 
> The declared array size check also needs to remain signed. asize is an int,
> but sizeof(*array) has type size_t, so comparing them directly promotes
> negative asize values to unsigned and lets them pass the check,
> as reported in the stable review thread reference below.
> 
> Cast sizeof(*array) to int when validating the declared array size. This
> rejects negative, zero and otherwise too-small sizes before the parser
> dispatches to the tuple-specific code.
> 
> Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@mail.gmail.com/t/#m9b3be379221e79327cc13fd71009287368ef4f23
> Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
> Cc: stable@vger.kernel.org
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ---
>  sound/soc/sof/topology.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 8fc7726aec29..bb6b981e55d1 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -740,10 +740,13 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
>  	int ret;
>  
>  	while (array_size > 0 && total < count * token_instance_num) {
> +		if (array_size < (int)sizeof(*array))
> +			return -EINVAL;
> +
>  		asize = le32_to_cpu(array->size);
>  
>  		/* validate asize */
> -		if (asize < sizeof(*array)) {
> +		if (asize < (int)sizeof(*array)) {
>  			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
>  				asize);
>  			return -EINVAL;

I think this only partially right, I would cover a bit more:

diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 898b94f88706..b0d37ec2bc5e 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -12,6 +12,7 @@
 #include <linux/device.h>
 #include <linux/errno.h>
 #include <linux/firmware.h>
+#include <linux/overflow.h>
 #include <linux/workqueue.h>
 #include <sound/tlv.h>
 #include <uapi/sound/sof/tokens.h>
@@ -738,27 +739,43 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
 	size_t offset = 0;
 	int found = 0;
 	int total = 0;
+	int max_tokens;
 	int asize;
 	int ret;
 
-	while (array_size > 0 && total < count * token_instance_num) {
+	if (check_mul_overflow(count, token_instance_num, &max_tokens)) {
+		dev_err(scomp->dev, "%s: token count overflow %d * %d\n",
+			__func__, count, token_instance_num);
+		return -EINVAL;
+	}
+
+	while (array_size > 0 && total < max_tokens) {
+		if (array_size < (int)sizeof(*array)) {
+			dev_err(scomp->dev,
+				"%s: invalid remaining array size %d\n",
+				__func__, array_size);
+			return -EINVAL;
+		}
+
 		asize = le32_to_cpu(array->size);
 
 		/* validate asize */
-		if (asize < sizeof(*array)) {
-			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
-				asize);
+		if (asize < (int)sizeof(*array)) {
+			dev_err(scomp->dev, "%s: vendor array too small %d\n",
+				__func__, asize);
 			return -EINVAL;
 		}
 
 		/* make sure there is enough data before parsing */
-		array_size -= asize;
-		if (array_size < 0) {
-			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
-				asize);
+		if (asize > array_size) {
+			dev_err(scomp->dev,
+				"%s: vendor array size %d exceeds remaining data\n",
+				__func__, asize);
 			return -EINVAL;
 		}
 
+		array_size -= asize;
+
 		/* call correct parser depending on type */
 		switch (le32_to_cpu(array->type)) {
 		case SND_SOC_TPLG_TUPLE_TYPE_UUID:

> 
> ---
> base-commit: bb451bc01ea42c9e47557638400708e20df34178
> change-id: 20260530-sof-topology-array-size-signed-06abdacb1cdc
> 
> Best regards,
> --  
> Cássio Gabriel <cassiogabrielcontato@gmail.com>
> 

-- 
Péter

Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

[Cássio Gabriel Monteiro Pires]

[-- Attachment #1.1: Type: text/plain, Size: 2951 bytes --]

On 6/10/26 13:03, Péter Ujfalusi wrote:
>> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
>> index 8fc7726aec29..bb6b981e55d1 100644
>> --- a/sound/soc/sof/topology.c
>> +++ b/sound/soc/sof/topology.c
>> @@ -740,10 +740,13 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
>>  	int ret;
>>  
>>  	while (array_size > 0 && total < count * token_instance_num) {
>> +		if (array_size < (int)sizeof(*array))
>> +			return -EINVAL;
>> +
>>  		asize = le32_to_cpu(array->size);
>>  
>>  		/* validate asize */
>> -		if (asize < sizeof(*array)) {
>> +		if (asize < (int)sizeof(*array)) {
>>  			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
>>  				asize);
>>  			return -EINVAL;
> 
> I think this only partially right, I would cover a bit more:
> 
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 898b94f88706..b0d37ec2bc5e 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -12,6 +12,7 @@
>  #include <linux/device.h>
>  #include <linux/errno.h>
>  #include <linux/firmware.h>
> +#include <linux/overflow.h>
>  #include <linux/workqueue.h>
>  #include <sound/tlv.h>
>  #include <uapi/sound/sof/tokens.h>
> @@ -738,27 +739,43 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
>  	size_t offset = 0;
>  	int found = 0;
>  	int total = 0;
> +	int max_tokens;
>  	int asize;
>  	int ret;
>  
> -	while (array_size > 0 && total < count * token_instance_num) {
> +	if (check_mul_overflow(count, token_instance_num, &max_tokens)) {
> +		dev_err(scomp->dev, "%s: token count overflow %d * %d\n",
> +			__func__, count, token_instance_num);
> +		return -EINVAL;
> +	}
> +
> +	while (array_size > 0 && total < max_tokens) {
> +		if (array_size < (int)sizeof(*array)) {
> +			dev_err(scomp->dev,
> +				"%s: invalid remaining array size %d\n",
> +				__func__, array_size);
> +			return -EINVAL;
> +		}
> +
>  		asize = le32_to_cpu(array->size);
>  
>  		/* validate asize */
> -		if (asize < sizeof(*array)) {
> -			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
> -				asize);
> +		if (asize < (int)sizeof(*array)) {
> +			dev_err(scomp->dev, "%s: vendor array too small %d\n",
> +				__func__, asize);
>  			return -EINVAL;
>  		}
>  
>  		/* make sure there is enough data before parsing */
> -		array_size -= asize;
> -		if (array_size < 0) {
> -			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
> -				asize);
> +		if (asize > array_size) {
> +			dev_err(scomp->dev,
> +				"%s: vendor array size %d exceeds remaining data\n",
> +				__func__, asize);
>  			return -EINVAL;
>  		}
>  
> +		array_size -= asize;
> +
>  		/* call correct parser depending on type */
>  		switch (le32_to_cpu(array->type)) {
>  		case SND_SOC_TPLG_TUPLE_TYPE_UUID:
> 

Thank you, this is way more complete.
I will respin a v2.

-- 
Thanks,
Cássio


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]