Patch "ASoC: SOF: control: add size checks for ext_bytes control .put()" has been added to the 5.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 26 Oct 2020 01:11:52 -0400

This is a note to let you know that I've just added the patch titled

    ASoC: SOF: control: add size checks for ext_bytes control .put()

to the 5.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     asoc-sof-control-add-size-checks-for-ext_bytes-contr.patch
and it can be found in the queue-5.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 5d693d36e4ed4fdac349bc181e910acbc5033163
Author: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx>
Date:   Mon Sep 21 14:08:12 2020 +0300

    ASoC: SOF: control: add size checks for ext_bytes control .put()
    
    [ Upstream commit 2ca210112ad91880d2d5a3f85fecc838600afbce ]
    
    Make sure the TLV header and size are consistent before copying from
    userspace.
    
    Fixes: c3078f5397046 ('ASoC: SOF: Add Sound Open Firmware KControl support')
    Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx>
    Reviewed-by: Ranjani Sridharan <ranjani.sridharan@xxxxxxxxxxxxxxx>
    Reviewed-by: Guennadi Liakhovetski <guennadi.liakhovetski@xxxxxxxxxxxxxxx>
    Signed-off-by: Kai Vehmanen <kai.vehmanen@xxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20200921110814.2910477-4-kai.vehmanen@xxxxxxxxxxxxxxx
    Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/sound/soc/sof/control.c b/sound/soc/sof/control.c
index 186eea105bb15..009938d45ddd9 100644
--- a/sound/soc/sof/control.c
+++ b/sound/soc/sof/control.c
@@ -298,6 +298,10 @@ int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol,
 	const struct snd_ctl_tlv __user *tlvd =
 		(const struct snd_ctl_tlv __user *)binary_data;
 
+	/* make sure we have at least a header */
+	if (size < sizeof(struct snd_ctl_tlv))
+		return -EINVAL;
+
 	/*
 	 * The beginning of bytes data contains a header from where
 	 * the length (as bytes) is needed to know the correct copy
@@ -306,6 +310,13 @@ int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol,
 	if (copy_from_user(&header, tlvd, sizeof(const struct snd_ctl_tlv)))
 		return -EFAULT;
 
+	/* make sure TLV info is consistent */
+	if (header.length + sizeof(struct snd_ctl_tlv) > size) {
+		dev_err_ratelimited(scomp->dev, "error: inconsistent TLV, data %d + header %zu > %d\n",
+				    header.length, sizeof(struct snd_ctl_tlv), size);
+		return -EINVAL;
+	}
+
 	/* be->max is coming from topology */
 	if (header.length > be->max) {
 		dev_err_ratelimited(scomp->dev, "error: Bytes data size %d exceeds max %d.\n",






