From: Dan Carpenter dan.carpenter@oracle.com
stable inclusion from stable-v4.19.316 commit a0f49d12547d45ea8b0f356a96632dd503941c1e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA72GH CVE: CVE-2022-48717
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=l...
--------------------------------
commit 4c907bcd9dcd233da6707059d777ab389dcbd964 upstream.
Check for negative values of "priv->gain" to prevent an out of bounds access. The concern is that these might come from the user via: -> snd_ctl_elem_write_user() -> snd_ctl_elem_write() -> kctl->put()
Fixes: fa8d915172b8 ("ASoC: max9759: Add Amplifier Driver") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Link: https://lore.kernel.org/r/20220119123101.GA9509@kili Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Wenyu Huang huangwenyu5@huawei.com --- sound/soc/codecs/max9759.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/max9759.c b/sound/soc/codecs/max9759.c index ecfb4a80424b..ec0a482e9000 100644 --- a/sound/soc/codecs/max9759.c +++ b/sound/soc/codecs/max9759.c @@ -64,7 +64,8 @@ static int speaker_gain_control_put(struct snd_kcontrol *kcontrol, struct snd_soc_component *c = snd_soc_kcontrol_component(kcontrol); struct max9759 *priv = snd_soc_component_get_drvdata(c);
- if (ucontrol->value.integer.value[0] > 3) + if (ucontrol->value.integer.value[0] < 0 || + ucontrol->value.integer.value[0] > 3) return -EINVAL;
priv->gain = ucontrol->value.integer.value[0];