ASoC: SOF: ipc4-control: Fix TOCTOU in sof_ipc4_bytes_put

In sof_ipc4_bytes_put(), the copy size is derived from the old
data->size in the buffer rather than the incoming new data's size
field from ucontrol. If the new data has a different size, the copy
uses the wrong length: it may truncate valid data or copy stale bytes.

Fix by validating and using the incoming data's sof_abi_hdr.size from
ucontrol before copying.

Fixes: a062c8899fed ("ASoC: SOF: ipc4-control: Add support for bytes control get and put")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20260609083458.31193-2-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/sof/ipc4-control.c b/sound/soc/sof/ipc4-control.c
index 4ce821f96a91968f67d00f47264b699d012ea93e..aa31eed05730f21796ed42109569101c10a3ca33 100644 (file)
--- a/sound/soc/sof/ipc4-control.c
+++ b/sound/soc/sof/ipc4-control.c
@@ -554,6 +554,8 @@ static int sof_ipc4_bytes_put(struct snd_sof_control *scontrol,
        struct snd_soc_component *scomp = scontrol->scomp;
        struct snd_sof_dev *sdev = snd_soc_component_get_drvdata(scomp);
        struct sof_abi_hdr *data = cdata->data;
+       const struct sof_abi_hdr *new_hdr =
+               (const struct sof_abi_hdr *)ucontrol->value.bytes.data;
        size_t size;
        int ret;
 
@@ -564,15 +566,16 @@ static int sof_ipc4_bytes_put(struct snd_sof_control *scontrol,
                return -EINVAL;
        }
 
-       /* scontrol->max_size has been verified to be >= sizeof(struct sof_abi_hdr) */
-       if (data->size > scontrol->max_size - sizeof(*data)) {
+       /* Validate the new data's size, not the old one */
+       if (new_hdr->size > scontrol->max_size - sizeof(*new_hdr)) {
                dev_err_ratelimited(scomp->dev,
                                    "data size too big %u bytes max is %zu\n",
-                                   data->size, scontrol->max_size - sizeof(*data));
+                                   new_hdr->size,
+                                   scontrol->max_size - sizeof(*new_hdr));
                return -EINVAL;
        }
 
-       size = data->size + sizeof(*data);
+       size = new_hdr->size + sizeof(*new_hdr);
 
        /* copy from kcontrol */
        memcpy(data, ucontrol->value.bytes.data, size);