From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>,
Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, ye.xingchen@zte.com.cn,
dev@xianwang.io, gremlin@altlinux.org,
alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 5.10 04/12] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
Date: Wed, 22 Mar 2023 16:01:58 -0400 [thread overview]
Message-ID: <20230322200207.1997367-4-sashal@kernel.org> (raw)
In-Reply-To: <20230322200207.1997367-1-sashal@kernel.org>
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 98e5eb110095ec77cb6d775051d181edbf9cd3cf ]
tuning_ctl_set() might have buffer overrun at (X) if it didn't break
from loop by matching (A).
static int tuning_ctl_set(...)
{
for (i = 0; i < TUNING_CTLS_COUNT; i++)
(A) if (nid == ca0132_tuning_ctls[i].nid)
break;
snd_hda_power_up(...);
(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
snd_hda_power_down(...); ^
return 1;
}
We will get below error by cppcheck
sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
for (i = 0; i < TUNING_CTLS_COUNT; i++)
^
sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
^
This patch cares non match case.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87sfe9eap7.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_ca0132.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index 24c2638cde376..6057084da4cf8 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -4108,8 +4108,10 @@ static int tuning_ctl_set(struct hda_codec *codec, hda_nid_t nid,
for (i = 0; i < TUNING_CTLS_COUNT; i++)
if (nid == ca0132_tuning_ctls[i].nid)
- break;
+ goto found;
+ return -EINVAL;
+found:
snd_hda_power_up(codec);
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
ca0132_tuning_ctls[i].req,
--
2.39.2
next prev parent reply other threads:[~2023-03-22 20:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-22 20:01 [PATCH AUTOSEL 5.10 01/12] md: avoid signed overflow in slot_store() Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.10 02/12] net: hsr: Don't log netdev_err message on unknown prp dst node Sasha Levin
2023-03-22 20:01 ` [PATCH AUTOSEL 5.10 03/12] ALSA: asihpi: check pao in control_message() Sasha Levin
2023-03-22 20:01 ` Sasha Levin [this message]
2023-03-22 20:01 ` [PATCH AUTOSEL 5.10 05/12] fbdev: tgafb: Fix potential divide by zero Sasha Levin
2023-03-22 20:02 ` [PATCH AUTOSEL 5.10 06/12] sched_getaffinity: don't assume 'cpumask_size()' is fully initialized Sasha Levin
2023-03-22 20:02 ` [PATCH AUTOSEL 5.10 07/12] fbdev: nvidia: Fix potential divide by zero Sasha Levin
2023-03-22 20:02 ` [PATCH AUTOSEL 5.10 08/12] fbdev: intelfb: " Sasha Levin
2023-03-22 20:02 ` [PATCH AUTOSEL 5.10 09/12] fbdev: lxfb: " Sasha Levin
2023-03-22 20:02 ` [PATCH AUTOSEL 5.10 10/12] fbdev: au1200fb: " Sasha Levin
2023-03-22 20:02 ` [PATCH AUTOSEL 5.10 11/12] tools/power turbostat: Fix /dev/cpu_dma_latency warnings Sasha Levin
2023-03-22 20:02 ` [PATCH AUTOSEL 5.10 12/12] tracing: Fix wrong return in kprobe_event_gen_test.c Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230322200207.1997367-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=dev@xianwang.io \
--cc=gremlin@altlinux.org \
--cc=kuninori.morimoto.gx@renesas.com \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
--cc=ye.xingchen@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).