git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Mon, 19 Jan 2026 13:32:07 +0000 (14:32 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 30 Jan 2026 09:27:38 +0000 (10:27 +0100)
commit	a8c42d11b0526a89192bd2f79facb4c60c8a1f38
tree	7332beec83836b084d616af6e1d8d146d07d1a10	tree \| snapshot
parent	cbe409f68380ac8b8f11a52086f8e5364ed07aea	commit \| diff

ALSA: ctxfi: Fix potential OOB access in audio mixer handling

commit 61006c540cbdedea83b05577dc7fb7fa18fe1276 upstream.

In the audio mixer handling code of ctxfi driver, the conf field is
used as a kind of loop index, and it's referred in the index callbacks
(amixer_index() and sum_index()).

As spotted recently by fuzzers, the current code causes OOB access at
those functions.
| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48
| index 8 is out of range for type 'unsigned char [8]'

After the analysis, the cause was found to be the lack of the proper
(re-)initialization of conj field.

This patch addresses those OOB accesses by adding the proper
initializations of the loop indices.

Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Tested-by: Karsten Hohmeier <linux@hohmatik.de>
Closes: https://bugs.debian.org/1121535
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/all/aSk8KJI35H7gFru6@eldamar.lan/
Link: https://patch.msgid.link/20260119133212.189129-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>