Commit f05dfc62 authored by Takashi Iwai's avatar Takashi Iwai Committed by Liu Shixin
Browse files

ALSA: asihpi: Fix potential OOB array access 

stable inclusion
from stable-v6.6.55
commit 7a55740996701f7b2bc46dc988b60ef2e416a747
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRBN
CVE: CVE-2024-50007

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7a55740996701f7b2bc46dc988b60ef2e416a747

--------------------------------

[ Upstream commit 7b986c7430a6bb68d523dac7bfc74cbd5b44ef96 ]

ASIHPI driver stores some values in the static array upon a response
from the driver, and its index depends on the firmware.  We shouldn't
trust it blindly.

This patch adds a sanity check of the array index to fit in the array
size.

Link: https://patch.msgid.link/20240808091454.30846-1-tiwai@suse.de


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarLiu Shixin <liushixin2@huawei.com>
parent 723be560

sound/pci/asihpi/hpimsgx.c

+1 −1
Original line number Diff line number Diff line
@@ -708,7 +708,7 @@ static u16 HPIMSGX__init(struct hpi_message *phm, 
		phr->error = HPI_ERROR_PROCESSING_MESSAGE;

		return phr->error;

	}

	if (hr.error == 0) {

	if (hr.error == 0 && hr.u.s.adapter_index < HPI_MAX_ADAPTERS) {

		/* the adapter was created successfully

		   save the mapping for future use */

		hpi_entry_points[hr.u.s.adapter_index] = entry_point_func;