Commit 07c16879 authored Apr 07, 2025 by Artemii Karasev Committed by Yuntao Liu Apr 07, 2025

ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()

stable inclusion
from stable-v4.19.273
commit 6e1f586ddec48d71016b81acf68ba9f49ca54db8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVYV
CVE: CVE-2023-52988

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6e1f586ddec48d71016b81acf68ba9f49ca54db8



--------------------------------

[ Upstream commit b9cee506 ]

snd_hda_get_connections() can return a negative error code.
It may lead to accessing 'conn' array at a negative index.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Artemii Karasev <karasev@ispras.ru>
Fixes: 30b45033 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs")
Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>

parent 3191c9e4

sound/pci/hda/patch_via.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -833,6 +833,9 @@ static int add_secret_dac_path(struct hda_codec *codec)
		return 0;
		nums = snd_hda_get_connections(codec, spec->gen.mixer_nid, conn,
		ARRAY_SIZE(conn) - 1);
		if (nums < 0)
		return nums;

		for (i = 0; i < nums; i++) {
		if (get_wcaps_type(get_wcaps(codec, conn[i])) == AC_WID_AUD_OUT)
		return 0;