ASoC: SDCA: Validate written enum value in ge_put_enum_double()

ge_put_enum_double() passes the user-supplied enumeration index
item[0] to snd_soc_enum_item_to_val() without checking it against the
number of items in the enum:

	ret = snd_soc_enum_item_to_val(e, item[0]);

snd_soc_enum_item_to_val() indexes the heap-allocated e->values[] array
with that index (e->values is set from a devm_kcalloc() of e->items
entries), so a control write with an out-of-range item[0] reads past the
end of the values buffer.  The bounds check in
snd_soc_dapm_put_enum_double() only runs afterwards, so it does not
prevent the read here.

Reject an out-of-range item before using it, matching the other enum put
handlers.

This issue was pointed out by the Sashiko AI review bot while reviewing a
related enum-validation series:
https://lore.kernel.org/all/20260609125735.CEB651F00893@smtp.kernel.org/

Fixes: 812ff1baa764 ("ASoC: SDCA: Limit values user can write to Selected Mode")
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260623110526.813217-1-sammiee5311@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/sdca/sdca_asoc.c b/sound/soc/sdca/sdca_asoc.c
index e76afa396b0ab380d6b7dc699176418a5cdfdf5d..b4dedba719dc612500a445e1ac334e93e8008d0d 100644 (file)
--- a/sound/soc/sdca/sdca_asoc.c
+++ b/sound/soc/sdca/sdca_asoc.c
@@ -160,6 +160,9 @@ static int ge_put_enum_double(struct snd_kcontrol *kcontrol,
        unsigned int reg = e->reg;
        int ret;
 
+       if (item[0] >= e->items)
+               return -EINVAL;
+
        reg &= ~SDW_SDCA_CTL_CSEL(0x3F);
        reg |= SDW_SDCA_CTL_CSEL(SDCA_CTL_GE_DETECTED_MODE);