Commit eae46d78 authored Jul 03, 2024 by Marek Vasut Committed by Jialin Zhang Jul 03, 2024

ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min

stable inclusion
from stable-v4.19.233
commit 0b2ecc9163472128e7f30b517bee92dcd27ffc34
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA72DZ
CVE: CVE-2022-48738

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0b2ecc9163472128e7f30b517bee92dcd27ffc34



--------------------------------

commit 9bdd10d5 upstream.

While the $val/$val2 values passed in from userspace are always >= 0
integers, the limits of the control can be signed integers and the $min
can be non-zero and less than zero. To correctly validate $val/$val2
against platform_max, add the $min offset to val first.

Fixes: 817f7c93 ("ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220215130645.164025-1-marex@denx.de


Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parent 072d33e5

sound/soc/soc-ops.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -323,7 +323,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
		mask = BIT(sign_bit + 1) - 1;

		val = ucontrol->value.integer.value[0];
		if (mc->platform_max && val > mc->platform_max)
		if (mc->platform_max && ((int)val + min) > mc->platform_max)
		return -EINVAL;
		if (val > max - min)
		return -EINVAL;
		@@ -336,7 +336,7 @@ int snd_soc_put_volsw(struct snd_kcontrol *kcontrol,
		val = val << shift;
		if (snd_soc_volsw_is_stereo(mc)) {
		val2 = ucontrol->value.integer.value[1];
		if (mc->platform_max && val2 > mc->platform_max)
		if (mc->platform_max && ((int)val2 + min) > mc->platform_max)
		return -EINVAL;
		if (val2 > max - min)
		return -EINVAL;