From nobody Mon Apr 6 09:11:20 2026 Received: from mail-dy1-f172.google.com (mail-dy1-f172.google.com [74.125.82.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A20DB13B7AE for ; Fri, 20 Mar 2026 00:45:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773967547; cv=none; b=bOyerYArE0suT7dAiMPyH/VF+3VEzfjl4L8y+KEZr8ziSWDcnHPUauhXWLaqtkCRPwnXzyuwEmwd7g+v3olN8TYcb7UdLBK2NflLmBl3v9Spo0bYmgHWHHCKAiL5wWBkpAoltCxmzS7XVzroUVfIvv5Rto0507w/kjFQIyorlQU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773967547; c=relaxed/simple; bh=QSDTRs1KqmY/M96Ff3RItaHHljTqw4BBU4i/zZG61qc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=FyweOKh8IlEK4Z8m52nOXbEONOxKIFmBgSuJ0Q0Ehy+n4OmZHxovIsbaRuFzMUmdXdwyfF6HP5b6zXQg7OBfmIPdumA/VDdGO9+BTzipKJhS4KnIOaodr7nJsp7uiXil7XXmk3zfRBaGk6XZnKMJyEyzlrtKFEsIPFJdMuvkPBs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ON9nET84; arc=none smtp.client-ip=74.125.82.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ON9nET84" Received: by mail-dy1-f172.google.com with SMTP id 5a478bee46e88-2b6b0500e06so1471396eec.1 for ; Thu, 19 Mar 2026 17:45:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773967546; x=1774572346; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=jhilIFboGytXcOYanm9I2+CEFiDrroAYXZ+UTYaHPtw=; b=ON9nET842sc4kGg8BtPI1yjh4fTsiDLaXAPUAb5TyOoUcXW1jr1sxHqSd90e4JyOu9 Cf7izKzdUBBIqU0Az3Xe2qxDhYlZzRcjIZGdrhNkeLiYbsvvj7VcFQdKDzupGM9HOXPf b3FboNXa54j+U5ei1zglOSwKOhCkJSAUqtAyCPPmZjZMCima+HR5JdKA+24e9zobZL9G QSbYG5dza357vXyHM8lZPcHWrU4xMEJYf683BmCMtPBODimcl0t4GZrgjyVe+kucYES+ 7dQ2F8aZo8Lq/iU8JvVjb7gio9e3/PkJASqW//0kzLg64a2oecBaiPCMqIlrS4UDXIIU vyIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773967546; x=1774572346; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=jhilIFboGytXcOYanm9I2+CEFiDrroAYXZ+UTYaHPtw=; b=jffkpTtk1rYfHVmX3s7P/fnQjz6R/yYQzcsI8z75O6HaG9Yen5gzfNBOGUOm2wHkyQ ctKo+iskMKD4wzgKO7yHwCnQXJ2V5I7s3baRAzesPrzkRE/AG4BGUqVoS1nakwugR4wp gcmLqPhpBMfm8gSEu2Nl3RxA/uHoglOiJ8Ia/zk6yd/U0aoxXpmAds1Am+iiMByIXq/p 64gk9irFOk1dy4NyxVoObrayndeFDRz3TwPtny9vMukGbxNW1a4sfg2hfyikn/rlcQnr lzgTV+bAM99TgN4hK8AeABeY81tPtEVXz2ECPNuG2zKfqYBEkiuyNqFjaeUaozPCI+2q usZg== X-Forwarded-Encrypted: i=1; AJvYcCXzlPxFWRgTaycywNBbVdyy7PztWl/TqHA7UnGWhYIKn+eSOxNVm4eanCOpNm0CpIePE10wwXcrz6LtSLA=@vger.kernel.org X-Gm-Message-State: AOJu0YxqiY7u5PNNGXT3HVgE9dkiQUZNwEqGf29ZdaSvhyHGwyuW5iLs QewJmX1tDa6fgHk/dQjtvf92I3U6SKbWqCHL0KD2BPb3Fze2Ar+v+psi X-Gm-Gg: ATEYQzzM5qOmpjwzW8LQIud0ReNZsyQLJB1O7UFo9sxpn04sz5iJKsws6PwZEH7tmQr FuJRNxm1U3MZlmnl1Fm5Dp0sgYYJ1wGlExbh2+S6/XG1ycc4fTBg9KAgPJ8NOGNRusT5BtzlbWT +doRDUaN22VO6ue9u3jzak3Wfp/QdaRLm/34i+FovF8pzsMy4/zk2rdMYRKQvrA0VFDbPhic63t pfyAEJmLfoVB+A61FFJRGftX7+eMawkNpNTd1cg2enNcdRvfMReB9YYXzNsU5+WereNOnyB8zUm VRczD/Nhd8KM6sPhAGARZqtGklnIdseNO7DL6u7vm4Eblk3qpXwJebk8CglpRSTs8EChWtOJH98 KOOvVe1BgnLLNngSQd4IYloDJaNHB4xgzALVZ6TJAhV9Rz1EZ/SAgWP1W88IgWlqZ7YH1P3hxd0 4JDoI1SqbC3iycHplhcE65Fg7LntjNs9fVNyitvUeq2VayoEcrIFM2tAQrbt3remPH8AWJfYovF fk= X-Received: by 2002:a05:7022:ec17:b0:127:3f2a:af21 with SMTP id a92af1059eb24-12a726752cemr555995c88.15.1773967545629; Thu, 19 Mar 2026 17:45:45 -0700 (PDT) Received: from [192.168.1.8] (177-4-160-195.user3p.v-tal.net.br. [177.4.160.195]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-12a736cf7e1sm616965c88.15.2026.03.19.17.45.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Mar 2026 17:45:45 -0700 (PDT) From: =?utf-8?q?C=C3=A1ssio_Gabriel?= Date: Thu, 19 Mar 2026 21:45:26 -0300 Subject: [PATCH] ASoC: SOF: topology: reject invalid vendor array size in token parser Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com> X-B4-Tracking: v=1; b=H4sIAAAAAAAC/x3MzQpAUBBA4VfRrE1dhHgVWVwMpmQ0I/nJu7tZf mdxHjBSJoM6ekDpYGNZA5I4gn7260TIQzCkLi1cllRoMuIumywyXehV/YXGN+HIJ1LlnC+6LC+ 7HsJhUwr5vzft+34O1K4DbQAAAA== X-Change-ID: 20260319-sof-topology-array-size-fix-e900a6b357bc To: Liam Girdwood , Peter Ujfalusi , Bard Liao , Ranjani Sridharan , Daniel Baluta , Kai Vehmanen , Pierre-Louis Bossart , Mark Brown , Jaroslav Kysela , Takashi Iwai Cc: sound-open-firmware@alsa-project.org, linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?C=C3=A1ssio_Gabriel?= X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1308; i=cassiogabrielcontato@gmail.com; h=from:subject:message-id; bh=QSDTRs1KqmY/M96Ff3RItaHHljTqw4BBU4i/zZG61qc=; b=owGbwMvMwCV2IdZeKur/u2bG02pJDJl7ZmwpKFU/wFd8JMNzw+ortw/tsNr84951PTNPs+dH6 u+6PFeZ3FHKwiDGxSArpsiyOmmR5Z6uB1fr41Z4wMxhZQIZwsDFKQATcZrP8D8oZs7kjoR76tU9 Dm0bpp2SsZ84OfLwo37LQvGNC5s8Fl9g+F9anvaAg3OdUXDgXMuP16rlZ2QuzXpwZeFrrw5JzyS JEywA X-Developer-Key: i=cassiogabrielcontato@gmail.com; a=openpgp; fpr=AB62A239BC8AE0D57F5EA848D05D3F1A5AFFEE83 sof_parse_token_sets() accepts array->size values that can be invalid for a vendor tuple array header. In particular, a zero size does not advance the parser state and can lead to non-progress parsing on malformed topology data. Validate array->size against the minimum header size and reject values smaller than sizeof(*array) before parsing. This preserves behavior for valid topologies and hardens malformed-input handling. Signed-off-by: C=C3=A1ssio Gabriel Acked-by: Peter Ujfalusi --- sound/soc/sof/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c index 18e2401152c8..35200d801fb7 100644 --- a/sound/soc/sof/topology.c +++ b/sound/soc/sof/topology.c @@ -736,7 +736,7 @@ static int sof_parse_token_sets(struct snd_soc_componen= t *scomp, asize =3D le32_to_cpu(array->size); =20 /* validate asize */ - if (asize < 0) { /* FIXME: A zero-size array makes no sense */ + if (asize < sizeof(*array)) { dev_err(scomp->dev, "error: invalid array size 0x%x\n", asize); return -EINVAL; --- base-commit: b3c48fa1fb397b490101785ddd87caf2e5513a66 change-id: 20260319-sof-topology-array-size-fix-e900a6b357bc Best regards, --=20 C=C3=A1ssio Gabriel