From ec5a97624a8de4f44b090cf53bd48c05458e0b17 Mon Sep 17 00:00:00 2001 From: Pierre-Louis Bossart Date: Mon, 21 Sep 2020 14:08:11 +0300 Subject: ASoC: SOF: control: fix size checks for volatile ext_bytes control .get() Mirror addition of checks for regular ext_bytes controls. Fixes: 783560d02dd61 ('ASoC: SOF: Implement snd_sof_bytes_ext_volatile_get kcontrol IO') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Ranjani Sridharan Reviewed-by: Guennadi Liakhovetski Signed-off-by: Kai Vehmanen Link: https://lore.kernel.org/r/20200921110814.2910477-3-kai.vehmanen@linux.intel.com Signed-off-by: Mark Brown --- sound/soc/sof/control.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'sound/soc') diff --git a/sound/soc/sof/control.c b/sound/soc/sof/control.c index 8d499d0e331d..9465611156d5 100644 --- a/sound/soc/sof/control.c +++ b/sound/soc/sof/control.c @@ -369,6 +369,14 @@ int snd_sof_bytes_ext_volatile_get(struct snd_kcontrol *kcontrol, unsigned int _ int ret; int err; + /* + * Decrement the limit by ext bytes header size to + * ensure the user space buffer is not exceeded. + */ + if (size < sizeof(struct snd_ctl_tlv)) + return -ENOSPC; + size -= sizeof(struct snd_ctl_tlv); + ret = pm_runtime_get_sync(scomp->dev); if (ret < 0 && ret != -EACCES) { dev_err_ratelimited(scomp->dev, "error: bytes_ext get failed to resume %d\n", ret); @@ -396,6 +404,12 @@ int snd_sof_bytes_ext_volatile_get(struct snd_kcontrol *kcontrol, unsigned int _ data_size = cdata->data->size + sizeof(const struct sof_abi_hdr); + /* make sure we don't exceed size provided by user space for data */ + if (data_size > size) { + ret = -ENOSPC; + goto out; + } + header.numid = scontrol->cmd; header.length = data_size; if (copy_to_user(tlvd, &header, sizeof(const struct snd_ctl_tlv))) { -- cgit v1.2.3