ASoC: SOF: ipc3-control: Validate size in snd_sof_update_control

In snd_sof_update_control(), firmware-provided cdata->num_elems is
checked against local_cdata->data->size but never against the actual
allocation size. If local_cdata->data->size was previously set to an
inconsistent value, the memcpy could write past the allocated buffer.

Add a bounds check to ensure num_elems fits within the available space
in the ipc_control_data allocation before copying.

Fixes: 10f461d79c2d ("ASoC: SOF: Add IPC3 topology control ops")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20260609083458.31193-5-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/sof/ipc3-control.c b/sound/soc/sof/ipc3-control.c
index 23b0ae3ad41463e316ab1a143ed6d0b144f91728..4b907d8cf58ad5ac5ff226be7af2d16284d2d079 100644 (file)
--- a/sound/soc/sof/ipc3-control.c
+++ b/sound/soc/sof/ipc3-control.c
@@ -535,6 +535,15 @@ static void snd_sof_update_control(struct snd_sof_control *scontrol,
                        return;
                }
 
+               /* Verify the size fits within the allocation */
+               if (cdata->num_elems > scontrol->max_size - sizeof(*local_cdata) -
+                                       sizeof(*local_cdata->data)) {
+                       dev_err(scomp->dev,
+                               "cdata binary size %u exceeds buffer\n",
+                               cdata->num_elems);
+                       return;
+               }
+
                /* copy the new binary data */
                memcpy(local_cdata->data, cdata->data, cdata->num_elems);
        } else if (cdata->num_elems != scontrol->num_channels) {