From nobody Wed Dec 17 14:13:53 2025 Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9EFC3064A5; Mon, 13 Oct 2025 13:40:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.54.195.159 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760362834; cv=none; b=Y4Mx8Y6Rdh/asaDY1NxvycPova1HCZTEbygSujn4vabHl5mAz0YZy3bdGynU4jjymZNHjhkoCWINugPfQM9EPP/jwbOk2xtWJy5vxG4GcjzB4Oy2BZQrhaWBbi6wGpiO6YPJp6RpWT1T+JIoA1VP2FczqkX7OMbKjascLcJpnDw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760362834; c=relaxed/simple; bh=7IitNfFxeuRtQCQPMlEdaH3Q/Xv+smTip+tkaLsWJws=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=se9Js2g5YBUlnLxOr4DDsrfeH1ocTTtXD2Od7B6idguaJc48zyFd8Lq6NJPlIExZ+blfXW0hboNBm6RfcLB1mVVhrHoa6IsPAwcmnuoHN01D2qa/cfC+5PIwsk3YQb5xKfcrw1XUYVVN5WdUTb+yNakvfOkYCZB2PyUAmmJ6abw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru; spf=pass smtp.mailfrom=fintech.ru; arc=none smtp.client-ip=195.54.195.159 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fintech.ru Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.169) with Microsoft SMTP Server (TLS) id 14.3.498.0; Mon, 13 Oct 2025 16:39:18 +0300 Received: from localhost (10.0.253.101) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Mon, 13 Oct 2025 16:39:17 +0300 From: Nikita Zhandarovich To: Srinivas Kandagatla , Liam Girdwood , Jaroslav Kysela , Takashi Iwai CC: Nikita Zhandarovich , , , , Subject: [PATCH v2] ASoC: q6apm: fix potential overflow in q6hdmi_hw_params Date: Mon, 13 Oct 2025 16:39:04 +0300 Message-ID: <20251013133906.3299497-1-n.zhandarovich@fintech.ru> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru (10.0.10.18) Content-Type: text/plain; charset="utf-8" Since 'module_config' array in struct 'q6apm_lpass_dai_data' has fixed size APM_PORT_MAX (127), function q6hdmi_hw_params() may hit accidental buffer overflow. Specifically, in case 'dai->id' has values ranging between DISPLAY_PORT_RX_1 and DISPLAY_PORT_RX_7, DISPLAY_PORT_RX_1 being equal 129, module_config[] array will attempt to access elements out of reach. Mitigate this issue by expanding the maximum possible size of 'module_config' and increasing APM_PORT_MAX to account for bigger possible values for indexes. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 2f6860e6133f ("ASoC: qcom: q6apm: add support to display ports in lp= ass dais") Signed-off-by: Nikita Zhandarovich --- P.S. This issue is quite similar to another, already fixed one, see commit a31a4934b31f ("ASoC: qcom: Fix sc7280 lpass potential buffer overflow"). v1 -> v2: increase APM_PORT_MAX by 1 to ensure that no overflow occurs if dai->id is equal to max possible value (DISPLAY_PORT_RX_7). Thanks to Fedor Pchelkin for the suggestion. Also, expand description a tiny bit. --- sound/soc/qcom/qdsp6/q6apm.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/soc/qcom/qdsp6/q6apm.h b/sound/soc/qcom/qdsp6/q6apm.h index 7ce08b401e31..fa766c038d78 100644 --- a/sound/soc/qcom/qdsp6/q6apm.h +++ b/sound/soc/qcom/qdsp6/q6apm.h @@ -14,9 +14,10 @@ #include #include #include +#include #include "audioreach.h" =20 -#define APM_PORT_MAX 127 +#define APM_PORT_MAX (DISPLAY_PORT_RX_7 + 1) #define APM_PORT_MAX_AUDIO_CHAN_CNT 8 #define PCM_CHANNEL_NULL 0 #define PCM_CHANNEL_FL 1 /* Front left channel. */