]> www.infradead.org Git - linux.git/commitdiff
ASoC: Intel: avs: Verify content returned by parse_int_array()
authorCezary Rojewski <cezary.rojewski@intel.com>
Fri, 30 May 2025 14:10:23 +0000 (16:10 +0200)
committerMark Brown <broonie@kernel.org>
Mon, 2 Jun 2025 11:26:50 +0000 (12:26 +0100)
The first element of the returned array stores its length. If it is 0,
any manipulation beyond the element at index 0 ends with null-ptr-deref.

Fixes: 5a565ba23abe ("ASoC: Intel: avs: Probing and firmware tracing over debugfs")
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530141025.2942936-8-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
sound/soc/intel/avs/debugfs.c

index 8c4edda97f757f864c97ddef59ece6c357857b60..0e826ca20619cafea23d73eb3c2af1fa929e6db8 100644 (file)
@@ -373,7 +373,10 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s
                return ret;
 
        num_elems = *array;
-       resource_mask = array[1];
+       if (!num_elems) {
+               ret = -EINVAL;
+               goto free_array;
+       }
 
        /*
         * Disable if just resource mask is provided - no log priority flags.
@@ -381,6 +384,7 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s
         * Enable input format:   mask, prio1, .., prioN
         * Where 'N' equals number of bits set in the 'mask'.
         */
+       resource_mask = array[1];
        if (num_elems == 1) {
                ret = disable_logs(adev, resource_mask);
        } else {