From: Amadeusz Sławiński amadeuszx.slawinski@linux.intel.com
mainline inclusion from mainline-v6.10-rc6 commit 0298f51652be47b79780833e0b63194e1231fa34 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELE CVE: CVE-2024-41069
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
It was reported that recent fix for memory corruption during topology load, causes corruption in other cases. Instead of being overeager with checking topology, assume that it is properly formatted and just duplicate strings.
Reported-by: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com Closes: https://lore.kernel.org/linux-sound/171812236450.201359.3019210915105428447.... Suggested-by: Péter Ujfalusi peter.ujfalusi@linux.intel.com Conflicts: sound/soc/soc-topology.c [Resolve conflicts due to not merge cleanup patch e0e7bc2cbee93778c4ad7d9a792d425ffb5af6f7] Signed-off-by: Amadeusz Sławiński amadeuszx.slawinski@linux.intel.com Link: https://lore.kernel.org/r/20240613090126.841189-1-amadeuszx.slawinski@linux.... Signed-off-by: Mark Brown broonie@kernel.org Fixes: 97ab304ecd95 ("ASoC: topology: Fix references to freed memory") Signed-off-by: Zheng Yejian zhengyejian1@huawei.com --- sound/soc/soc-topology.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c index 41eb61540da6..c65c92b073b2 100644 --- a/sound/soc/soc-topology.c +++ b/sound/soc/soc-topology.c @@ -1258,13 +1258,8 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg, break; }
- routes[i]->source = devm_kmemdup(tplg->dev, elem->source, - min((int)strlen(elem->source), - SNDRV_CTL_ELEM_ID_NAME_MAXLEN), - GFP_KERNEL); - routes[i]->sink = devm_kmemdup(tplg->dev, elem->sink, - min((int)strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN), - GFP_KERNEL); + routes[i]->source = devm_kstrdup(tplg->dev, elem->source, GFP_KERNEL); + routes[i]->sink = devm_kstrdup(tplg->dev, elem->sink, GFP_KERNEL); if (!routes[i]->source || !routes[i]->sink) { ret = -ENOMEM; break; @@ -1275,10 +1270,7 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg, if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) { routes[i]->control = NULL; } else { - routes[i]->control = devm_kmemdup(tplg->dev, elem->control, - min((int)strlen(elem->control), - SNDRV_CTL_ELEM_ID_NAME_MAXLEN), - GFP_KERNEL); + routes[i]->control = devm_kstrdup(tplg->dev, elem->control, GFP_KERNEL); if (!routes[i]->control) { ret = -ENOMEM; break;