ASoC: topology: Fix references to freed memory

Most users after parsing a topology file, release memory used by it, so
having pointer references directly into topology file contents is wrong.
Use devm_kmemdup(), to allocate memory as needed.

Reported-by: Jason Montleon <jmontleo@redhat.com>
Link: https://github.com/thesofproject/avs-topology-xml/issues/22#issuecomment-2127892605
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Link: https://lore.kernel.org/r/20240603102818.36165-2-amadeuszx.slawinski@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index 90ca37e008b32c89f545d88397479b0c6a7f65bb..75d9395a18ed494e47afd415627db5db075a93e6 100644 (file)
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -1060,15 +1060,32 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg,
                        break;
                }
 
-               route->source = elem->source;
-               route->sink = elem->sink;
+               route->source = devm_kmemdup(tplg->dev, elem->source,
+                                            min(strlen(elem->source),
+                                                SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+                                            GFP_KERNEL);
+               route->sink = devm_kmemdup(tplg->dev, elem->sink,
+                                          min(strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+                                          GFP_KERNEL);
+               if (!route->source || !route->sink) {
+                       ret = -ENOMEM;
+                       break;
+               }
 
                /* set to NULL atm for tplg users */
                route->connected = NULL;
-               if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0)
+               if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) {
                        route->control = NULL;
-               else
-                       route->control = elem->control;
+               } else {
+                       route->control = devm_kmemdup(tplg->dev, elem->control,
+                                                     min(strlen(elem->control),
+                                                         SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+                                                     GFP_KERNEL);
+                       if (!route->control) {
+                               ret = -ENOMEM;
+                               break;
+                       }
+               }
 
                /* add route dobj to dobj_list */
                route->dobj.type = SND_SOC_DOBJ_GRAPH;