From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>,
Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, dev@xianwang.io,
gremlin@altlinux.org, ye.xingchen@zte.com.cn,
alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 5.15 07/16] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
Date: Wed, 22 Mar 2023 16:01:11 -0400 [thread overview]
Message-ID: <20230322200121.1997157-7-sashal@kernel.org> (raw)
In-Reply-To: <20230322200121.1997157-1-sashal@kernel.org>
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ]
tuning_ctl_set() might have buffer overrun at (X) if it didn't break
from loop by matching (A).
static int tuning_ctl_set(...)
{
for (i = 0; i < TUNING_CTLS_COUNT; i++)
(A) if (nid == ca0132_tuning_ctls[i].nid)
break;
snd_hda_power_up(...);
(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
snd_hda_power_down(...); ^
return 1;
}
We will get below error by cppcheck
sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
for (i = 0; i < TUNING_CTLS_COUNT; i++)
^
sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
^
This patch cares non match case.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_ca0132.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index c0cb6e49a9b65..2646663e03426 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -4231,8 +4231,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid,
for (i = 0; i < TUNING_CTLS_COUNT; i++)
if (nid == ca0132_tuning_ctls[i].nid)
- break;
+ goto found;
+ return -EINVAL;
+found:
snd_hda_power_up(codec);
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
ca0132_tuning_ctls[i].req,
--
2.39.2
next prev parent reply other threads:[~2023-03-22 20:09 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-22 20:01 [PATCH AUTOSEL 5.15 01/16] xfrm: Zero padding when dumping algos and encap Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 02/16] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 03/16] md: avoid signed overflow in slot_store() Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 04/16] x86/PVH: obtain VGA console info in Dom0 Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 05/16] net: hsr: Don't log netdev_err message on unknown prp dst node Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 06/16] ALSA: asihpi: check pao in control_message() Sasha Levin
2023-03-22 20:01 ` Sasha Levin [this message]
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 08/16] fbdev: tgafb: Fix potential divide by zero Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 09/16] sched_getaffinity: don't assume 'cpumask_size()' is fully initialized Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 10/16] fbdev: nvidia: Fix potential divide by zero Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 11/16] fbdev: intelfb: " Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 12/16] fbdev: lxfb: " Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 13/16] fbdev: au1200fb: " Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 14/16] tools/power turbostat: Fix /dev/cpu_dma_latency warnings Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 15/16] tools/power turbostat: fix decoding of HWP_STATUS Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.15 16/16] tracing: Fix wrong return in kprobe_event_gen_test.c Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230322200121.1997157-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=dev@xianwang.io \
--cc=gremlin@altlinux.org \
--cc=kuninori.morimoto.gx@renesas.com \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
--cc=ye.xingchen@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox