From: Mark Brown broonie@kernel.org
stable inclusion from stable-v4.19.228 commit 9a12fcbf3c622f9bf6b110a873d62b0cba93972e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA72I5 CVE: CVE-2022-48737
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e upstream.
We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range.
Signed-off-by: Mark Brown broonie@kernel.org Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220124153253.3548853-3-broonie@kernel.org Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: GONG, Ruiqi gongruiqi1@huawei.com --- sound/soc/soc-ops.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c index f4dc3d445aae..ed9740f1f5dd 100644 --- a/sound/soc/soc-ops.c +++ b/sound/soc/soc-ops.c @@ -422,8 +422,15 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol, int err = 0; unsigned int val, val_mask, val2 = 0;
+ val = ucontrol->value.integer.value[0]; + if (mc->platform_max && val > mc->platform_max) + return -EINVAL; + if (val > max - min) + return -EINVAL; + if (val < 0) + return -EINVAL; val_mask = mask << shift; - val = (ucontrol->value.integer.value[0] + min) & mask; + val = (val + min) & mask; val = val << shift;
err = snd_soc_component_update_bits(component, reg, val_mask, val);