ASoC: topology: Fix references to freed memory

mainline inclusion from mainline-v6.10-rc6 commit 97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELE CVE: CVE-2024-41069 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1 -------------------------------- Most users after parsing a topology file, release memory used by it, so having pointer references directly into topology file contents is wrong. Use devm_kmemdup(), to allocate memory as needed. Reported-by: Jason Montleon <jmontleo@redhat.com> Link: thesofproject/avs-topology-xml#22 (comment) Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com> Conflicts: sound/soc/soc-topology.c [Resolve conflicts due to some cleanup commits not backported] Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com> Link: https://lore.kernel.org/r/20240603102818.36165-2-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown <broonie@kernel.org> Fixes: 8a97823 ("ASoC: topology: Add topology core") Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
openeuler-mirror · Jul 30, 2024 · b581981 · b581981
1 parent 43e1b61
commit b581981
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
@@ -1258,15 +1258,32 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg,
 			break;
 		}
 
-		routes[i]->source = elem->source;
-		routes[i]->sink = elem->sink;
+		routes[i]->source = devm_kmemdup(tplg->dev, elem->source,
+					     min((int)strlen(elem->source),
+						 SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+					     GFP_KERNEL);
+		routes[i]->sink = devm_kmemdup(tplg->dev, elem->sink,
+					   min((int)strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+					   GFP_KERNEL);
+		if (!routes[i]->source || !routes[i]->sink) {
+			ret = -ENOMEM;
+			break;
+		}
 
 		/* set to NULL atm for tplg users */
 		routes[i]->connected = NULL;
-		if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0)
+		if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) {
 			routes[i]->control = NULL;
-		else
-			routes[i]->control = elem->control;
+		} else {
+			routes[i]->control = devm_kmemdup(tplg->dev, elem->control,
+						      min((int)strlen(elem->control),
+							  SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+						      GFP_KERNEL);
+			if (!routes[i]->control) {
+				ret = -ENOMEM;
+				break;
+			}
+		}
 
 		/* add route dobj to dobj_list */
 		routes[i]->dobj.type = SND_SOC_DOBJ_GRAPH;