[PATCH 2/2] ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
Charles Keepax
ckeepax at opensource.cirrus.com
Fri Nov 25 16:48:37 CET 2022
From: Mark Brown <broonie at kernel.org>
The bounds checks in snd_soc_put_volsw_sx() are only being applied to the
first channel, meaning it is possible to write out of bounds values to the
second channel in stereo controls. Add appropriate checks.
Signed-off-by: Mark Brown <broonie at kernel.org>
Signed-off-by: Charles Keepax <ckeepax at opensource.cirrus.com>
---
Slight fixup was made over your original version to make the check of
val2 > max be without the min and mask applied.
Thanks,
Charles
sound/soc/soc-ops.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index 47691119306fb..55b009d3c6815 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -464,10 +464,15 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol,
ret = err;
if (snd_soc_volsw_is_stereo(mc)) {
- unsigned int val2;
+ unsigned int val2 = ucontrol->value.integer.value[1];
+
+ if (mc->platform_max && val2 > mc->platform_max)
+ return -EINVAL;
+ if (val2 > max)
+ return -EINVAL;
val_mask = mask << rshift;
- val2 = (ucontrol->value.integer.value[1] + min) & mask;
+ val2 = (val2 + min) & mask;
val2 = val2 << rshift;
err = snd_soc_component_update_bits(component, reg2, val_mask,
--
2.30.2
More information about the Alsa-devel
mailing list