Commit 71ca31e2 authored by Amadeusz Sławiński's avatar Amadeusz Sławiński Committed by Zheng Yejian
Browse files

ASoC: topology: Fix references to freed memory 

mainline inclusion
from mainline-v6.10-rc6
commit 97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELE
CVE: CVE-2024-41069

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1



--------------------------------

Most users after parsing a topology file, release memory used by it, so
having pointer references directly into topology file contents is wrong.
Use devm_kmemdup(), to allocate memory as needed.

Reported-by: default avatarJason Montleon <jmontleo@redhat.com>
Link: https://github.com/thesofproject/avs-topology-xml/issues/22#issuecomment-2127892605


Reviewed-by: default avatarCezary Rojewski <cezary.rojewski@intel.com>
Conflicts:
	sound/soc/soc-topology.c
[Resolve conflicts due to some cleanup commits not backported]
Signed-off-by: default avatarAmadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Link: https://lore.kernel.org/r/20240603102818.36165-2-amadeuszx.slawinski@linux.intel.com


Signed-off-by: default avatarMark Brown <broonie@kernel.org>
Fixes: 8a978234 ("ASoC: topology: Add topology core")
Signed-off-by: default avatarZheng Yejian <zhengyejian1@huawei.com>
parent f2621d27

sound/soc/soc-topology.c

+19 −5
Original line number Diff line number Diff line
@@ -1151,13 +1151,27 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg, 
			SNDRV_CTL_ELEM_ID_NAME_MAXLEN)

			return -EINVAL;



		route.source = elem->source;

		route.sink = elem->sink;

		route.source = devm_kmemdup(tplg->dev, elem->source,

					     min((int)strlen(elem->source),

						 SNDRV_CTL_ELEM_ID_NAME_MAXLEN),

					     GFP_KERNEL);

		route.sink = devm_kmemdup(tplg->dev, elem->sink,

					   min((int)strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN),

					   GFP_KERNEL);

		if (!route.source || !route.sink)

			return -ENOMEM;



		route.connected = NULL; /* set to NULL atm for tplg users */

		if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0)

		if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) {

			route.control = NULL;

		else

			route.control = elem->control;

		} else {

			route.control = devm_kmemdup(tplg->dev, elem->control,

						      min((int)strlen(elem->control),

							  SNDRV_CTL_ELEM_ID_NAME_MAXLEN),

						      GFP_KERNEL);

			if (!route.control)

				return -ENOMEM;

		}



		soc_tplg_add_route(tplg, &route);