[PATCH openEuler-22.03-LTS-SP1] ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() - Kernel

4 Nov 2024

From: Mark Brown broonie@kernel.org
stable inclusion
from stable-v5.10.160
commit 50b5f6d4d9d2d69a7498c44fd8b26e13d73d3d98
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6AVM6
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
CVE: CVE-2022-48951
--------------------------------
[ Upstream commit 97eea946b93961fffd29448dcda7398d0d51c4b2 ]
The bounds checks in snd_soc_put_volsw_sx() are only being applied to the
first channel, meaning it is possible to write out of bounds values to the
second channel in stereo controls. Add appropriate checks.
Signed-off-by: Mark Brown broonie@kernel.org
Link: https://lore.kernel.org/r/20220511134137.169575-2-broonie@kernel.org
Signed-off-by: Mark Brown broonie@kernel.org
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Kaixiong Yu yukaixiong@huawei.com
---
 sound/soc/soc-ops.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index 0f26d6c31ce5..49d22233d391 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -447,6 +447,12 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
    if (snd_soc_volsw_is_stereo(mc)) {
    	val_mask = mask << rshift;
    	val2 = (ucontrol->value.integer.value[1] + min) & mask;
+
+		if (mc->platform_max && val2 > mc->platform_max)
+			return -EINVAL;
+		if (val2 > max)
+			return -EINVAL;
+
    	val2 = val2 << rshift;
err = snd_soc_component_update_bits(component, reg2, val_mask,
-- 
2.34.1


    