Unverified Commit 93e246b6 authored May 30, 2025 by Cezary Rojewski Committed by Mark Brown Jun 02, 2025

ASoC: Intel: avs: Verify content returned by parse_int_array()

The first element of the returned array stores its length. If it is 0,
any manipulation beyond the element at index 0 ends with null-ptr-deref.

Fixes: 5a565ba2 ("ASoC: Intel: avs: Probing and firmware tracing over debugfs")
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530141025.2942936-8-cezary.rojewski@intel.com

Signed-off-by: Mark Brown <broonie@kernel.org>

parent 5f342aee

sound/soc/intel/avs/debugfs.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -373,7 +373,10 @@ static ssize_t trace_control_write(struct file file, const char __user from, s
		return ret;

		num_elems = *array;
		resource_mask = array[1];
		if (!num_elems) {
		ret = -EINVAL;
		goto free_array;
		}

		/*
		* Disable if just resource mask is provided - no log priority flags.
		@@ -381,6 +384,7 @@ static ssize_t trace_control_write(struct file file, const char __user from, s
		* Enable input format: mask, prio1, .., prioN
		* Where 'N' equals number of bits set in the 'mask'.
		*/
		resource_mask = array[1];
		if (num_elems == 1) {
		ret = disable_logs(adev, resource_mask);
		} else {