From: Samasth Norway Ananda Date: Tue, 9 Sep 2025 22:51:11 +0000 (-0700) Subject: ASoC: SOF: ipc3-dtrace: fix potential integer overflow in allocation X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=ce2335cd14b6585d57dc05a4375a506079adba81;p=users%2Fhch%2Fmisc.git ASoC: SOF: ipc3-dtrace: fix potential integer overflow in allocation Fix a potential integer overflow vulnerability in trace_filter_parse() where the allocation size calculation could overflow. The issue occurs when: 1. capacity is calculated by adding TRACE_FILTER_ELEMENTS_PER_ENTRY in a loop for each entry found in the input string. 2. capacity * sizeof(**out) multiplication could overflow if many entries are present in the input. 3. This results in a smaller allocation than expected, leading to potential buffer overflow. Replace kmalloc() with kmalloc_array() which provides built-in overflow checking and will safely fail the allocation if overflow would occur, preventing memory corruption. Signed-off-by: Samasth Norway Ananda Link: https://patch.msgid.link/20250909225111.3740029-1-samasth.norway.ananda@oracle.com Signed-off-by: Mark Brown --- diff --git a/sound/soc/sof/ipc3-dtrace.c b/sound/soc/sof/ipc3-dtrace.c index e5c8fec173c4..6ec391fd39a9 100644 --- a/sound/soc/sof/ipc3-dtrace.c +++ b/sound/soc/sof/ipc3-dtrace.c @@ -126,7 +126,7 @@ static int trace_filter_parse(struct snd_sof_dev *sdev, char *string, capacity += TRACE_FILTER_ELEMENTS_PER_ENTRY; entry = strchr(entry + 1, entry_delimiter[0]); } - *out = kmalloc(capacity * sizeof(**out), GFP_KERNEL); + *out = kmalloc_array(capacity, sizeof(**out), GFP_KERNEL); if (!*out) return -ENOMEM;