From: "Gustavo A. R. Silva" gustavoars@kernel.org
stable inclusion from stable-v6.6.2 commit 2983695ab49322ecf0068c30b0411bfd840ac52f category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8IW7G
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 3746284c233d5cf5f456400e61cd4a46a69c6e8c ]
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension") Signed-off-by: "Gustavo A. R. Silva" gustavoars@kernel.org Reviewed-by: Kees Cook keescook@chromium.org Link: https://lore.kernel.org/r/ZQSr15AYJpDpipg6@work Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- sound/soc/sof/ipc4-topology.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c index 7cb63e6b24dc..c9c1d2ec7af2 100644 --- a/sound/soc/sof/ipc4-topology.c +++ b/sound/soc/sof/ipc4-topology.c @@ -895,7 +895,8 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget) if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) { struct sof_ipc4_base_module_cfg_ext *base_cfg_ext; u32 ext_size = struct_size(base_cfg_ext, pin_formats, - swidget->num_input_pins + swidget->num_output_pins); + size_add(swidget->num_input_pins, + swidget->num_output_pins));
base_cfg_ext = kzalloc(ext_size, GFP_KERNEL); if (!base_cfg_ext) {