From nobody Thu Apr 2 16:58:52 2026 Received: from air.basealt.ru (air.basealt.ru [193.43.8.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 454FE283FEA; Fri, 27 Mar 2026 10:33:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.43.8.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774607597; cv=none; b=t9oHaICZnsRNLO7GOYnhXX7L8V+T1THmuMEa3+Zrv9CdqvxFKc5UeHWVDR6hSOITSqSP8P4TQZmhC0IntEcijtL+qepMdnQv9IO05tlXQGb73IEfH5WFx33DM44tRLKteGRTe3NsmlXJ7F/VbHrbkxJb1SwjnVeZ+MV9NkwM2Lw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774607597; c=relaxed/simple; bh=Gw2PRfbrSUg2/Hcpk+ygsAvymLMZcQ6uodTILtfVlMM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=c/JVlVrs+UDNJn9e4ByI4nyyJMh3+qlXrj7IlOAAqH5KSuRsPk8m6P8utwTgSeIuOM+aA/U8EwEjrUdvrxfFBU8r80/tHYuGgyTzESzFnqPXSMU/J0nwNpPAsn+LmOqa+yUUqI2c7VW6N8razuO6oxSC6MWpbcVS/8TaQ3o8FfE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org; spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=193.43.8.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=altlinux.org Received: from boringlust.malta.altlinux.ru (obninsk.basealt.ru [217.15.195.17]) (Authenticated sender: rastyoginds) by air.basealt.ru (Postfix) with ESMTPSA id 814C3233A9; Fri, 27 Mar 2026 13:33:12 +0300 (MSK) From: gerben@altlinux.org To: kuninori.morimoto.gx@renesas.com Cc: lgirdwood@gmail.com, broonie@kernel.org, tiwai@suse.com, linux-sound@vger.kernel.org, linux-renesas-soc@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] ASoC: rsnd: Fix potential out-of-bounds access of component_dais[] Date: Fri, 27 Mar 2026 13:33:11 +0300 Message-ID: <20260327103311.459239-1-gerben@altlinux.org> X-Mailer: git-send-email 2.42.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Denis Rastyogin component_dais[RSND_MAX_COMPONENT] is initially zero-initialized and later populated in rsnd_dai_of_node(). However, the existing boundary c= heck: if (i >=3D RSND_MAX_COMPONENT) does not guarantee that the last valid element remains zero. As a result, the loop can rely on component_dais[RSND_MAX_COMPONENT] being zero, which may lead to an out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 547b02f74e4a ("ASoC: rsnd: enable multi Component support for Audio = Graph Card/Card2") Signed-off-by: Denis Rastyogin Acked-by: Kuninori Morimoto --- sound/soc/renesas/rcar/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/renesas/rcar/core.c b/sound/soc/renesas/rcar/core.c index 69fb19964a71..2dc078358612 100644 --- a/sound/soc/renesas/rcar/core.c +++ b/sound/soc/renesas/rcar/core.c @@ -1974,7 +1974,7 @@ static int rsnd_probe(struct platform_device *pdev) * asoc register */ ci =3D 0; - for (i =3D 0; priv->component_dais[i] > 0; i++) { + for (i =3D 0; i < RSND_MAX_COMPONENT && priv->component_dais[i] > 0; i++)= { int nr =3D priv->component_dais[i]; =20 ret =3D devm_snd_soc_register_component(dev, &rsnd_soc_component, --=20 2.42.2