From 072d33e5e50e8d2aa300d3ce2880ae59dc42474d Mon Sep 17 00:00:00 2001 From: Mark Brown Date: Wed, 3 Jul 2024 17:29:25 +0800 Subject: [PATCH 1/2] ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() stable inclusion from stable-v4.19.228 commit 65a61b1f56f5386486757930069fbdce94af08bf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA72DZ CVE: CVE-2022-48738 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=65a61b1f56f5386486757930069fbdce94af08bf -------------------------------- commit 817f7c9335ec01e0f5e8caffc4f1dcd5e458a4c0 upstream. We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range. Signed-off-by: Mark Brown Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220124153253.3548853-2-broonie@kernel.org Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jialin Zhang --- sound/soc/soc-ops.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c index 948d0600aa61..1baf256a69f7 100644 --- a/sound/soc/soc-ops.c +++ b/sound/soc/soc-ops.c @@ -322,13 +322,27 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, if (sign_bit) mask = BIT(sign_bit + 1) - 1; - val = ((ucontrol->value.integer.value[0] + min) & mask); + val = ucontrol->value.integer.value[0]; + if (mc->platform_max && val > mc->platform_max) + return -EINVAL; + if (val > max - min) + return -EINVAL; + if (val < 0) + return -EINVAL; + val = (val + min) & mask; if (invert) val = max - val; val_mask = mask << shift; val = val << shift; if (snd_soc_volsw_is_stereo(mc)) { - val2 = ((ucontrol->value.integer.value[1] + min) & mask); + val2 = ucontrol->value.integer.value[1]; + if (mc->platform_max && val2 > mc->platform_max) + return -EINVAL; + if (val2 > max - min) + return -EINVAL; + if (val2 < 0) + return -EINVAL; + val2 = (val2 + min) & mask; if (invert) val2 = max - val2; if (reg == reg2) { -- Gitee From eae46d78e596e4f2f3eaaa39fa139db548bdf8a7 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Wed, 3 Jul 2024 17:29:26 +0800 Subject: [PATCH 2/2] ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min stable inclusion from stable-v4.19.233 commit 0b2ecc9163472128e7f30b517bee92dcd27ffc34 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA72DZ CVE: CVE-2022-48738 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0b2ecc9163472128e7f30b517bee92dcd27ffc34 -------------------------------- commit 9bdd10d57a8807dba0003af0325191f3cec0f11c upstream. While the $val/$val2 values passed in from userspace are always >= 0 integers, the limits of the control can be signed integers and the $min can be non-zero and less than zero. To correctly validate $val/$val2 against platform_max, add the $min offset to val first. Fixes: 817f7c9335ec0 ("ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()") Signed-off-by: Marek Vasut Cc: Mark Brown Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220215130645.164025-1-marex@denx.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jialin Zhang --- sound/soc/soc-ops.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c index 1baf256a69f7..d89c6921f3ec 100644 --- a/sound/soc/soc-ops.c +++ b/sound/soc/soc-ops.c @@ -323,7 +323,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, mask = BIT(sign_bit + 1) - 1; val = ucontrol->value.integer.value[0]; - if (mc->platform_max && val > mc->platform_max) + if (mc->platform_max && ((int)val + min) > mc->platform_max) return -EINVAL; if (val > max - min) return -EINVAL; @@ -336,7 +336,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol, val = val << shift; if (snd_soc_volsw_is_stereo(mc)) { val2 = ucontrol->value.integer.value[1]; - if (mc->platform_max && val2 > mc->platform_max) + if (mc->platform_max && ((int)val2 + min) > mc->platform_max) return -EINVAL; if (val2 > max - min) return -EINVAL; -- Gitee