From: Takashi Iwai <tiwai@suse.de>
To: "Cássio Gabriel" <cassiogabrielcontato@gmail.com>
Cc: Takashi Iwai <tiwai@suse.com>,
Anton Yakovlev <anton.yakovlev@opensynergy.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Aiswarya Cyriac <aiswarya.cyriac@opensynergy.com>,
Jaroslav Kysela <perex@perex.cz>,
virtualization@lists.linux.dev, linux-sound@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] ALSA: virtio: Validate control metadata from the device
Date: Fri, 15 May 2026 11:21:56 +0200 [thread overview]
Message-ID: <87h5o9t4cr.wl-tiwai@suse.de> (raw)
In-Reply-To: <20260507-alsa-virtio-validate-kctl-info-v1-1-7404fb12ec37@gmail.com>
On Thu, 07 May 2026 16:28:30 +0200,
Cássio Gabriel wrote:
>
> virtio-snd control handling trusts the device-provided control type and
> value count returned by the device.
>
> That metadata is then used directly to index g_v2a_type_map[] in
> virtsnd_kctl_info(), and to size loops and memcpy() operations in
> virtsnd_kctl_get() and virtsnd_kctl_put() against fixed-size
> virtio_snd_ctl_value and snd_ctl_elem_value arrays.
>
> A buggy or malicious device can therefore trigger out-of-bounds access by
> advertising an invalid control type or an oversized value count.
>
> Validate control type and count once in virtsnd_kctl_parse_cfg(), before
> querying enumerated items or exposing the control to ALSA.
>
> Fixes: d6568e3de42d ("ALSA: virtio: add support for audio controls")
> Cc: stable@vger.kernel.org
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Applied to for-next branch now. Thanks.
Takashi
prev parent reply other threads:[~2026-05-15 9:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 14:28 [PATCH] ALSA: virtio: Validate control metadata from the device Cássio Gabriel
2026-05-15 9:21 ` Takashi Iwai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h5o9t4cr.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=aiswarya.cyriac@opensynergy.com \
--cc=anton.yakovlev@opensynergy.com \
--cc=cassiogabrielcontato@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=mst@redhat.com \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=virtualization@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox