Re: [PATCH v3] ASoC: SOF: Intel: hda: Fix UAF when reloading module

From: Péter Ujfalusi
Date: Thu May 08 2025 - 01:49:02 EST

Next message: kernel test robot: "[tip:x86/microcode] BUILD SUCCESS 4804f5ad5d63cf7ddad148132a3ecea11410dfa9"
Previous message: Dan Carpenter: "fs/smb/server/oplock.c:155 opinfo_get_list() warn: can 'opinfo' even be NULL?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 07/05/2025 20:06, Tavian Barnes wrote:
>>> - hda_mach = snd_soc_acpi_intel_hda_machines;
>>> + /* make a copy so we can modify it below */
>>> + hda_mach = devm_kmemdup(sdev->dev,
>>> + snd_soc_acpi_intel_hda_machines,
>>> + sizeof(*hda_mach),
>>> + GFP_KERNEL);
>>
>> We need to copy 2x the size as the snd_soc_acpi_intel_hda_machines[] has
>> two entries, the second is the sentinel (all 0).
>
> Do we? I recognize that snd_soc_acpi_intel_hda_machines is an array,
> but I don't see anywhere that hda_mach or *mach are used as an array,
> at least in hda.c.
>
> I'm no expert though, if we need the sentinel I can send a v4. Thanks
> for the review!

Yes, we need to preserve the sentinel. When dealing with the
snd_soc_acpi_mach all code looks for the sentinel at the end to break
the loops. The size of the arrays are unknown outside where they are
defined.

--
Péter

Next message: kernel test robot: "[tip:x86/microcode] BUILD SUCCESS 4804f5ad5d63cf7ddad148132a3ecea11410dfa9"
Previous message: Dan Carpenter: "fs/smb/server/oplock.c:155 opinfo_get_list() warn: can 'opinfo' even be NULL?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]