[PATCH openEuler-22.03-LTS-SP1 0/2] Fix CVE-2024-41069
Amadeusz Sławiński (2): ASoC: topology: Fix references to freed memory ASoC: topology: Fix route memory corruption sound/soc/soc-topology.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) -- 2.25.1
From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com> mainline inclusion from mainline-v6.10-rc6 commit 97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELE CVE: CVE-2024-41069 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. Reported-by: Jason Montleon <jmontleo@redhat.com> Link: https://github.com/thesofproject/avs-topology-xml/issues/22#issuecomment-212... Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com> Conflicts: sound/soc/soc-topology.c [Resolve conflicts due to some cleanup commits not backported] Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com> Link: https://lore.kernel.org/r/20240603102818.36165-2-amadeuszx.slawinski@linux.i... Signed-off-by: Mark Brown <broonie@kernel.org> Fixes: 8a9782346dcc ("ASoC: topology: Add topology core") Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com> --- sound/soc/soc-topology.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c index 23a5f9a52da0..41eb61540da6 100644 --- a/sound/soc/soc-topology.c +++ b/sound/soc/soc-topology.c @@ -1258,15 +1258,32 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg, break; } - routes[i]->source = elem->source; - routes[i]->sink = elem->sink; + routes[i]->source = devm_kmemdup(tplg->dev, elem->source, + min((int)strlen(elem->source), + SNDRV_CTL_ELEM_ID_NAME_MAXLEN), + GFP_KERNEL); + routes[i]->sink = devm_kmemdup(tplg->dev, elem->sink, + min((int)strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN), + GFP_KERNEL); + if (!routes[i]->source || !routes[i]->sink) { + ret = -ENOMEM; + break; + } /* set to NULL atm for tplg users */ routes[i]->connected = NULL; - if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) + if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) { routes[i]->control = NULL; - else - routes[i]->control = elem->control; + } else { + routes[i]->control = devm_kmemdup(tplg->dev, elem->control, + min((int)strlen(elem->control), + SNDRV_CTL_ELEM_ID_NAME_MAXLEN), + GFP_KERNEL); + if (!routes[i]->control) { + ret = -ENOMEM; + break; + } + } /* add route dobj to dobj_list */ routes[i]->dobj.type = SND_SOC_DOBJ_GRAPH; -- 2.25.1
From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com> mainline inclusion from mainline-v6.10-rc6 commit 0298f51652be47b79780833e0b63194e1231fa34 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELE CVE: CVE-2024-41069 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- It was reported that recent fix for memory corruption during topology load, causes corruption in other cases. Instead of being overeager with checking topology, assume that it is properly formatted and just duplicate strings. Reported-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Closes: https://lore.kernel.org/linux-sound/171812236450.201359.3019210915105428447.... Suggested-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com> Conflicts: sound/soc/soc-topology.c [Resolve conflicts due to not merge cleanup patch e0e7bc2cbee93778c4ad7d9a792d425ffb5af6f7] Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com> Link: https://lore.kernel.org/r/20240613090126.841189-1-amadeuszx.slawinski@linux.... Signed-off-by: Mark Brown <broonie@kernel.org> Fixes: 97ab304ecd95 ("ASoC: topology: Fix references to freed memory") Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com> --- sound/soc/soc-topology.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c index 41eb61540da6..c65c92b073b2 100644 --- a/sound/soc/soc-topology.c +++ b/sound/soc/soc-topology.c @@ -1258,13 +1258,8 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg, break; } - routes[i]->source = devm_kmemdup(tplg->dev, elem->source, - min((int)strlen(elem->source), - SNDRV_CTL_ELEM_ID_NAME_MAXLEN), - GFP_KERNEL); - routes[i]->sink = devm_kmemdup(tplg->dev, elem->sink, - min((int)strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN), - GFP_KERNEL); + routes[i]->source = devm_kstrdup(tplg->dev, elem->source, GFP_KERNEL); + routes[i]->sink = devm_kstrdup(tplg->dev, elem->sink, GFP_KERNEL); if (!routes[i]->source || !routes[i]->sink) { ret = -ENOMEM; break; @@ -1275,10 +1270,7 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg, if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) { routes[i]->control = NULL; } else { - routes[i]->control = devm_kmemdup(tplg->dev, elem->control, - min((int)strlen(elem->control), - SNDRV_CTL_ELEM_ID_NAME_MAXLEN), - GFP_KERNEL); + routes[i]->control = devm_kstrdup(tplg->dev, elem->control, GFP_KERNEL); if (!routes[i]->control) { ret = -ENOMEM; break; -- 2.25.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/10405 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/K... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/10405 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/K...
participants (2)
-
patchwork bot -
Zheng Yejian