ASoC: SOF: ipc3-control: Validate size in snd_sof_update_control

ujfalusi · bardliao · commit 4ef2a354f342 · 2026-05-26T13:54:27.000+08:00
In snd_sof_update_control(), firmware-provided cdata->num_elems is checked against local_cdata->data->size but never against the actual allocation size. If local_cdata->data->size was previously set to an inconsistent value, the memcpy could write past the allocated buffer. Add a bounds check to ensure num_elems fits within the available space in the ipc_control_data allocation before copying. Fixes: 10f461d ("ASoC: SOF: Add IPC3 topology control ops") Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
diff --git a/sound/soc/sof/ipc3-control.c b/sound/soc/sof/ipc3-control.c
@@ -535,6 +535,15 @@ static void snd_sof_update_control(struct snd_sof_control *scontrol,
 			return;
 		}
 
+		/* Verify the size fits within the allocation */
+		if (cdata->num_elems > scontrol->max_size - sizeof(*local_cdata) -
+					sizeof(*local_cdata->data)) {
+			dev_err(scomp->dev,
+				"cdata binary size %u exceeds buffer\n",
+				cdata->num_elems);
+			return;
+		}
+
 		/* copy the new binary data */
 		memcpy(local_cdata->data, cdata->data, cdata->num_elems);
 	} else if (cdata->num_elems != scontrol->num_channels) {
