From nobody Mon Jun 15 23:18:41 2026 Received: from outboundhk.mxmail.xiaomi.com (outboundhk.mxmail.xiaomi.com [207.226.244.123]) by smtp.subspace.kernel.org (Postfix) with ESMTP id ACAA3390CA9; Tue, 14 Apr 2026 12:18:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=207.226.244.123 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776169116; cv=none; b=kzlAL9r4hruAlmj/30Xycii5KqNAgY9cGaUBpd0gU9yUmc5qAP9Uz0bu0zQb8J20oF7/cJsElOxjz40ss+ZFi4LHRU4+XJXm+cS9Nxn8bFKh68BOxPrQsEldmzTZ2LVVddM0Q/8gdx7lvkOXVb1J94aJmHXtmdGQwtyR4kPHoYY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776169116; c=relaxed/simple; bh=6o1+bTIpGHTw7bkmfAkAG1sdQDF9myb5dXUiMp5dlWQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=PFAStdPrmX+OoYXIvoWbIyZLc67ekh3AWNS3gxojUu8Te2enXHUiLV5PG6Ht6IJG+4w9kN0me0GXGsemFA9TiONv1OPuAYPqz4iXDbTGSsM580DNhn112XfxwDs2nCo+tHbpdfg5MEm8c4xuanYm8i7OuPeDB1XbYMTZtfOLmHo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=xiaomi.com; spf=pass smtp.mailfrom=xiaomi.com; arc=none smtp.client-ip=207.226.244.123 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=xiaomi.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=xiaomi.com X-CSE-ConnectionGUID: QrivI3FPTjidUcPX8Tk92g== X-CSE-MsgGUID: ivuZY/OlRwu0SVqQmA7klw== X-IronPort-AV: E=Sophos;i="6.23,179,1770566400"; d="scan'208";a="172792398" From: Ziqing Chen To: , CC: , , , Ziqing Chen Subject: [RESEND PATCH] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() Date: Tue, 14 Apr 2026 20:18:14 +0800 Message-ID: <20260414121814.221126-1-chenziqing@xiaomi.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260414090542.151447-1-chenziqing@xiaomi.com> References: <20260414090542.151447-1-chenziqing@xiaomi.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: BJ-MBX05.mioffice.cn (10.237.8.125) To BJ-MBX03.mioffice.cn (10.237.8.123) Content-Type: text/plain; charset="utf-8" snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len =3D=3D 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len =3D=3D 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone. Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space = controls") Cc: stable@vger.kernel.org Signed-off-by: Ziqing Chen --- sound/core/control.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/control.c b/sound/core/control.c index 0ddade871b52..6ceb5f977fcd 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1574,6 +1574,10 @@ static int snd_ctl_elem_init_enum_names(struct user_= element *ue) /* check that there are enough valid names */ p =3D names; for (i =3D 0; i < ue->info.value.enumerated.items; ++i) { + if (buf_len =3D=3D 0) { + kvfree(names); + return -EINVAL; + } name_len =3D strnlen(p, buf_len); if (name_len =3D=3D 0 || name_len >=3D 64 || name_len =3D= =3D buf_len) { kvfree(names); -- 2.52.0 #/******=EF=BF=BD=EF=BF=BD=EF=BF=BD=CA=BC=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF= =BD=E4=B8=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=D0=A1=EF= =BF=BD=D7=B9=EF=BF=BD=CB=BE=EF=BF=BD=C4=B1=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF= =BD=EF=BF=BD=CF=A2=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF= =BF=BD=DA=B7=EF=BF=BD=EF=BF=BD=CD=B8=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF= =BF=BD=EF=BF=BD=D6=B7=EF=BF=BD=EF=BF=BD=EF=BF=BD=D0=B3=EF=BF=BD=EF=BF=BD=C4= =B8=EF=BF=BD=EF=BF=BD=CB=BB=EF=BF=BD=C8=BA=EF=BF=BD=E9=A1=A3=EF=BF=BD=EF=BF= =BD=D6=B9=EF=BF=BD=CE=BA=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF= =BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=CE=BA=EF=BF=BD=EF=BF=BD=EF=BF=BD=CA= =BD=CA=B9=EF=BF=BD=C3=A3=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF= =BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=C8=AB=EF= =BF=BD=EF=BF=BD=EF=BF=BD=F2=B2=BF=B7=D6=B5=EF=BF=BD=D0=B9=C2=B6=EF=BF=BD=EF= =BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=C6=A1=EF=BF=BD=EF=BF=BD=EF=BF=BD=C9=A2=EF= =BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=CA=BC=EF=BF=BD= =EF=BF=BD=D0=B5=EF=BF=BD=EF=BF=BD=EF=BF=BD=CF=A2=EF=BF=BD=EF=BF=BD=EF=BF=BD= =EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF= =BF=BD=CB=B1=EF=BF=BD=EF=BF=BD=CA=BC=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF= =BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=E7=BB= =B0=EF=BF=BD=EF=BF=BD=EF=BF=BD=CA=BC=EF=BF=BD=CD=A8=D6=AA=EF=BF=BD=EF=BF=BD= =EF=BF=BD=EF=BF=BD=EF=BF=BD=CB=B2=EF=BF=BD=C9=BE=EF=BF=BD=EF=BF=BD=EF=BF=BD= =EF=BF=BD=EF=BF=BD=CA=BC=EF=BF=BD=EF=BF=BD=EF=BF=BD This e-mail and its att= achments contain confidential information from XIAOMI, which is intended on= ly for the person or entity whose address is listed above. Any use of the i= nformation contained herein in any way (including, but not limited to, tota= l or partial disclosure, reproduction, or dissemination) by persons other t= han the intended recipient(s) is prohibited. If you receive this e-mail in = error, please notify the sender by phone or email immediately and delete it= !******/#