From 403c521003a1364fd2d7c01a2a1f66ed025fb94a Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 7 Dec 2021 16:33:23 +0100 Subject: [PATCH] ALSA: mixart: Add sanity check for timer notify streams The miXart timer notification is a variable length, and if a hardware is screwed up, we may access over the actual data size. Let's add a sanity check and bail out if an invalid value is received. Link: https://lore.kernel.org/r/20211207153323.27098-1-tiwai@suse.de Signed-off-by: Takashi Iwai --- sound/pci/mixart/mixart_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/pci/mixart/mixart_core.c b/sound/pci/mixart/mixart_core.c index 853083dd4bad..a047ed0f84e9 100644 --- a/sound/pci/mixart/mixart_core.c +++ b/sound/pci/mixart/mixart_core.c @@ -443,6 +443,8 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id) notify = (struct mixart_timer_notify *)mixart_msg_data; BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data)); + if (snd_BUG_ON(notify->stream_count > ARRAY_SIZE(notify->streams))) + break; for(i=0; istream_count; i++) { u32 buffer_id = notify->streams[i].buffer_id;