ALSA: firewire-motu: add bounds check in put_user loop for DSP events

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.

Fix by adding a bounds check before put_user().

Suggested-by: Takashi Iwai <tiwai@suse.de>
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Junrui Luo and committed by

Takashi Iwai 3 months ago 298e7538 9a97857d

+1 -1

1 changed file

expand all

sound

firewire

motu

motu-hwdep.c

+1 -1

sound/firewire/motu/motu-hwdep.c

··· 75 75 while (consumed < count && 76 76 snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) { 77 77 ptr = (u32 __user *)(buf + consumed); 78 - if (put_user(ev, ptr)) 78 + if (consumed + sizeof(ev) > count || put_user(ev, ptr)) 79 79 return -EFAULT; 80 80 consumed += sizeof(ev); 81 81 }