From: Amadeusz Sławiński amadeuszx.slawinski@linux.intel.com
mainline inclusion from mainline-v6.10-rc6 commit 97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELE CVE: CVE-2024-41069
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed.
Reported-by: Jason Montleon jmontleo@redhat.com Link: https://github.com/thesofproject/avs-topology-xml/issues/22#issuecomment-212... Reviewed-by: Cezary Rojewski cezary.rojewski@intel.com Conflicts: sound/soc/soc-topology.c [Resolve conflicts due to some cleanup commits not backported] Signed-off-by: Amadeusz Sławiński amadeuszx.slawinski@linux.intel.com Link: https://lore.kernel.org/r/20240603102818.36165-2-amadeuszx.slawinski@linux.i... Signed-off-by: Mark Brown broonie@kernel.org Fixes: 8a9782346dcc ("ASoC: topology: Add topology core") Signed-off-by: Zheng Yejian zhengyejian1@huawei.com --- sound/soc/soc-topology.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c index 23a5f9a52da0..41eb61540da6 100644 --- a/sound/soc/soc-topology.c +++ b/sound/soc/soc-topology.c @@ -1258,15 +1258,32 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg, break; }
- routes[i]->source = elem->source; - routes[i]->sink = elem->sink; + routes[i]->source = devm_kmemdup(tplg->dev, elem->source, + min((int)strlen(elem->source), + SNDRV_CTL_ELEM_ID_NAME_MAXLEN), + GFP_KERNEL); + routes[i]->sink = devm_kmemdup(tplg->dev, elem->sink, + min((int)strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN), + GFP_KERNEL); + if (!routes[i]->source || !routes[i]->sink) { + ret = -ENOMEM; + break; + }
/* set to NULL atm for tplg users */ routes[i]->connected = NULL; - if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) + if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) { routes[i]->control = NULL; - else - routes[i]->control = elem->control; + } else { + routes[i]->control = devm_kmemdup(tplg->dev, elem->control, + min((int)strlen(elem->control), + SNDRV_CTL_ELEM_ID_NAME_MAXLEN), + GFP_KERNEL); + if (!routes[i]->control) { + ret = -ENOMEM; + break; + } + }
/* add route dobj to dobj_list */ routes[i]->dobj.type = SND_SOC_DOBJ_GRAPH;