superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/sound/core
History
Ziqing Chen e0da8a8cac ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() 
snd_ctl_elem_init_enum_names() advances pointer p through the names
buffer while decrementing buf_len. If buf_len reaches zero but items
remain, the next iteration calls strnlen(p, 0).

While strnlen(p, 0) returns 0 and would hit the existing name_len == 0
error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks
maxlen against __builtin_dynamic_object_size(). When Clang loses track
of p's object size inside the loop, this triggers a BRK exception panic
before the return value is examined.

Add a buf_len == 0 guard at the loop entry to prevent calling fortified
strnlen() on an exhausted buffer.

Found by kernel fuzz testing through Xiaomi Smartphone.

Fixes: 8d448162bd ("ALSA: control: add support for ENUMERATED user space controls")
Cc: stable@vger.kernel.org
Signed-off-by: Ziqing Chen <chenziqing@xiaomi.com>
Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
 		2026-04-14 15:31:10 +02:00
..
oss ALSA: pcm: oss: use proper stream lock for runtime->state access 2026-03-16 18:05:55 +01:00
seq ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes 2026-03-27 14:40:24 +01:00
.kunitconfig ALSA: core: add kunitconfig 2024-03-17 09:36:45 +01:00
Kconfig ALSA: Do not build obsolete API 2025-12-07 13:15:59 +01:00
Makefile ALSA: control: Verify put() result when in debug mode 2026-02-28 09:32:39 +01:00
compress_offload.c ALSA: compress: Pay attention if drivers error out retrieving pointers 2026-04-02 11:10:28 +02:00
control.c ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() 2026-04-14 15:31:10 +02:00
control_compat.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
control_led.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
control_trace.h ALSA: control: Verify put() result when in debug mode 2026-02-28 09:32:39 +01:00
ctljack.c ALSA: jack: Improve string handling in jack_kctl_name_gen 2026-01-27 09:58:37 +01:00
device.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
hrtimer.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
hwdep.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
hwdep_compat.c ALSA: compat_ioctl: avoid compat_alloc_user_space 2020-09-21 10:37:07 +02:00
info.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
info_oss.c ALSA: info: Use guard() for locking 2024-02-28 15:01:21 +01:00
init.c ALSA: control: Verify put() result when in debug mode 2026-02-28 09:32:39 +01:00
isadma.c sound updates for 6.0-rc1 2022-08-06 10:19:51 -07:00
jack.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
memalloc.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
memory.c ALSA: Align the syntax of iov_iter helpers with standard ones 2024-12-30 12:50:04 +01:00
misc.c ALSA: misc: Use guard() for spin locks 2025-09-01 13:54:28 +02:00
pcm.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
pcm_compat.c ALSA: pcm: Use pcm_lib_apply_appl_ptr() in x32 sync_ptr 2026-03-27 14:40:24 +01:00
pcm_dmaengine.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
pcm_drm_eld.c ALSA: pcm: Harden the spk_alloc assumption check 2025-11-21 10:35:04 +01:00
pcm_iec958.c ALSA: iec958: Split status creation and fill 2021-06-08 17:05:41 +02:00
pcm_lib.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
pcm_local.h ALSA: pcm: Revert "ALSA: pcm: rewrite snd_pcm_playback_silence()" 2023-05-05 18:23:48 +02:00
pcm_memory.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
pcm_misc.c ALSA: core: Add SPDX license id to files 2026-02-18 08:52:08 +01:00
pcm_native.c Merge branch 'for-linus' into for-next 2026-04-01 14:43:00 +02:00
pcm_param_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm_timer.c ALSA: pcm_timer: use snd_pcm_direction_name() 2024-08-01 12:50:13 +02:00
pcm_trace.h tracing/treewide: Remove second parameter of __assign_str() 2024-05-22 20:14:47 -04:00
rawmidi.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rawmidi_compat.c ALSA: rawmidi: Replace with __packed attribute 2023-10-26 09:42:55 +02:00
seq_device.c ALSA: seq: Refuse to probe seq drivers with non-bus probe or remove 2025-12-14 11:08:10 +01:00
sound.c ALSA: core: Validate compress device numbers without dynamic minors 2026-03-28 10:55:35 +01:00
sound_kunit.c ALSA: core: Fix possible NULL dereference caused by kunit_kzalloc() 2024-11-27 08:06:31 +01:00
sound_oss.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
timer.c ALSA: timer: keep a list of open masters for slave lookup 2026-03-17 09:16:24 +01:00
timer_compat.c ALSA: timer: Use guard() for locking 2024-02-28 15:01:20 +01:00
ump.c Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
ump_convert.c ALSA: ump: Explicitly reset RPN with Null RPN 2024-07-31 15:08:39 +02:00
vmaster.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00