From: Ziqing Chen <chenziqing@xiaomi.com> stable inclusion from stable-v6.6.140 commit 1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15330 CVE: CVE-2026-46088 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit e0da8a8cac74f4b9f577979d131f0d2b88a84487 upstream. snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone. Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls") Cc: stable@vger.kernel.org Signed-off-by: Ziqing Chen <chenziqing@xiaomi.com> Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yuan Can <yuancan@huawei.com> Conflicts: sound/core/control.c [context conflict] Signed-off-by: Zhang Yuwei <zhangyuwei20@huawei.com> --- sound/core/control.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/control.c b/sound/core/control.c index 732eb515d2f5..640bafb6605a 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1387,6 +1387,10 @@ static int snd_ctl_elem_init_enum_names(struct user_element *ue) buf_len = ue->info.value.enumerated.names_length; p = names; for (i = 0; i < ue->info.value.enumerated.items; ++i) { + if (buf_len == 0) { + kvfree(names); + return -EINVAL; + } name_len = strnlen(p, buf_len); if (name_len == 0 || name_len >= 64 || name_len == buf_len) { kvfree(names); -- 2.22.0