]>
Commit | Line | Data |
---|---|---|
c430f7d2 GKH |
1 | From d63733aed90b432e5cc489ddfa28e342f91b4652 Mon Sep 17 00:00:00 2001 |
2 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
3 | Date: Fri, 13 Sep 2013 10:53:36 +0300 | |
4 | Subject: ASoC: ab8500-codec: info leak in anc_status_control_put() | |
5 | ||
6 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
7 | ||
8 | commit d63733aed90b432e5cc489ddfa28e342f91b4652 upstream. | |
9 | ||
10 | If the user passes an invalid value it leads to an info leak when we | |
11 | print the error message or it could oops. This is called with user | |
12 | supplied data from snd_ctl_elem_write(). | |
13 | ||
14 | Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> | |
15 | Signed-off-by: Mark Brown <broonie@linaro.org> | |
16 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
17 | ||
18 | --- | |
19 | sound/soc/codecs/ab8500-codec.c | 7 ++++++- | |
20 | 1 file changed, 6 insertions(+), 1 deletion(-) | |
21 | ||
22 | --- a/sound/soc/codecs/ab8500-codec.c | |
23 | +++ b/sound/soc/codecs/ab8500-codec.c | |
24 | @@ -1225,13 +1225,18 @@ static int anc_status_control_put(struct | |
25 | struct ab8500_codec_drvdata *drvdata = dev_get_drvdata(codec->dev); | |
26 | struct device *dev = codec->dev; | |
27 | bool apply_fir, apply_iir; | |
28 | - int req, status; | |
29 | + unsigned int req; | |
30 | + int status; | |
31 | ||
32 | dev_dbg(dev, "%s: Enter.\n", __func__); | |
33 | ||
34 | mutex_lock(&drvdata->anc_lock); | |
35 | ||
36 | req = ucontrol->value.integer.value[0]; | |
37 | + if (req >= ARRAY_SIZE(enum_anc_state)) { | |
38 | + status = -EINVAL; | |
39 | + goto cleanup; | |
40 | + } | |
41 | if (req != ANC_APPLY_FIR_IIR && req != ANC_APPLY_FIR && | |
42 | req != ANC_APPLY_IIR) { | |
43 | dev_err(dev, "%s: ERROR: Unsupported status to set '%s'!\n", |