From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E68EC7EE2E for ; Wed, 31 May 2023 13:41:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236416AbjEaNlo (ORCPT ); Wed, 31 May 2023 09:41:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55158 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236413AbjEaNlQ (ORCPT ); Wed, 31 May 2023 09:41:16 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 49BF5E68; Wed, 31 May 2023 06:40:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 031FF61527; Wed, 31 May 2023 13:40:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4DB21C433EF; Wed, 31 May 2023 13:40:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1685540445; bh=ZxstVsALKprh5w2ZGfhTBQt6300rXrxJFsUl1z+X+t4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JpaC2eqQdK8XRnprSVan9J6BIxq7UifXGQadxs6IhNErrSDUk8N1Lq8MkPLNR00ud n/KKiglP12sjP1ImCUAVTXAvnzYZ30UiBpIDRrLiOELLtRUIOrSQcozoVoQR79vJD2 BBeJcz6THM/T9dauHqqwnxNuSlrUjgeZkE/6cadGXeWGMCA0vvfFZV7W/bARKH7S+B 6lrBfVya/dEQNGVJuqaToYpLyjLSgHofzIlAXeDGcG9eJqjlOYWytEtWd7lqeQ71/H CJp/GD/uZrUvGy1QHG2bB8aFoKWapTTJ6z6L4pjSHPFJU8XUfk4QDZC/AIjPMEdksx q/FZ0OB/YnEmw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ravulapati Vishnu Vardhan Rao , Sasha Levin , srinivas.kandagatla@linaro.org, bgoswami@quicinc.com, lgirdwood@gmail.com, broonie@kernel.org, perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org Subject: [PATCH AUTOSEL 6.3 15/37] ASoC: lpass: Fix for KASAN use_after_free out of bounds Date: Wed, 31 May 2023 09:39:57 -0400 Message-Id: <20230531134020.3383253-15-sashal@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230531134020.3383253-1-sashal@kernel.org> References: <20230531134020.3383253-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ravulapati Vishnu Vardhan Rao [ Upstream commit 75e5fab7db0cecb6e16b22c34608f0b40a4c7cd1 ] When we run syzkaller we get below Out of Bounds error. "KASAN: slab-out-of-bounds Read in regcache_flat_read" Below is the backtrace of the issue: BUG: KASAN: slab-out-of-bounds in regcache_flat_read+0x10c/0x110 Read of size 4 at addr ffffff8088fbf714 by task syz-executor.4/14144 CPU: 6 PID: 14144 Comm: syz-executor.4 Tainted: G W Hardware name: Qualcomm Technologies, Inc. sc7280 CRD platform (rev5+) (DT) Call trace: dump_backtrace+0x0/0x4ec show_stack+0x34/0x50 dump_stack_lvl+0xdc/0x11c print_address_description+0x30/0x2d8 kasan_report+0x178/0x1e4 __asan_report_load4_noabort+0x44/0x50 regcache_flat_read+0x10c/0x110 regcache_read+0xf8/0x5a0 _regmap_read+0x45c/0x86c _regmap_update_bits+0x128/0x290 regmap_update_bits_base+0xc0/0x15c snd_soc_component_update_bits+0xa8/0x22c snd_soc_component_write_field+0x68/0xd4 tx_macro_put_dec_enum+0x1d0/0x268 snd_ctl_elem_write+0x288/0x474 By Error checking and checking valid values issue gets rectifies. Signed-off-by: Ravulapati Vishnu Vardhan Rao --- sound/soc/codecs/lpass-tx-macro.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c index 589c490a8c487..88d8fa58ec1eb 100644 --- a/sound/soc/codecs/lpass-tx-macro.c +++ b/sound/soc/codecs/lpass-tx-macro.c @@ -746,6 +746,8 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, struct tx_macro *tx = snd_soc_component_get_drvdata(component); val = ucontrol->value.enumerated.item[0]; + if (val >= e->items) + return -EINVAL; switch (e->reg) { case CDC_TX_INP_MUX_ADC_MUX0_CFG0: @@ -772,6 +774,9 @@ static int tx_macro_put_dec_enum(struct snd_kcontrol *kcontrol, case CDC_TX_INP_MUX_ADC_MUX7_CFG0: mic_sel_reg = CDC_TX7_TX_PATH_CFG0; break; + default: + dev_err(component->dev, "Error in configuration!!\n"); + return -EINVAL; } if (val != 0) { -- 2.39.2