ASoC: Intel: avs: Verify content returned by parse_int_array()

[ Upstream commit 93e246b6769bdacb09cfff4ea0f00fe5ab4f0d7a ]

The first element of the returned array stores its length. If it is 0,
any manipulation beyond the element at index 0 ends with null-ptr-deref.

Fixes: 5a565ba23abe ("ASoC: Intel: avs: Probing and firmware tracing over debugfs")
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530141025.2942936-8-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/sound/soc/intel/avs/debugfs.c b/sound/soc/intel/avs/debugfs.c
index 1767ded4d98307241a8fc284ae082050000947d4..c9978fb9c74e2bcd491584565866f75c38fb7ee5 100644 (file)
--- a/sound/soc/intel/avs/debugfs.c
+++ b/sound/soc/intel/avs/debugfs.c
@@ -372,7 +372,10 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s
                return ret;
 
        num_elems = *array;
-       resource_mask = array[1];
+       if (!num_elems) {
+               ret = -EINVAL;
+               goto free_array;
+       }
 
        /*
         * Disable if just resource mask is provided - no log priority flags.
@@ -380,6 +383,7 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s
         * Enable input format:   mask, prio1, .., prioN
         * Where 'N' equals number of bits set in the 'mask'.
         */
+       resource_mask = array[1];
        if (num_elems == 1) {
                ret = disable_logs(adev, resource_mask);
        } else {