ASoC: SOF: ipc3-control: Use overflow checks in control_update size calc

In sof_ipc3_control_update(), the expected_size calculation uses
firmware-provided cdata->num_elems in arithmetic that could overflow
on 32-bit platforms, wrapping to a small value. This would allow the
cdata->rhdr.hdr.size comparison to pass with mismatched sizes,
potentially leading to out-of-bounds access in snd_sof_update_control.

Use check_mul_overflow() and check_add_overflow() to detect and reject
overflowed size calculations.

Fixes: 10f461d79c2d ("ASoC: SOF: Add IPC3 topology control ops")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20260609083458.31193-4-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/sof/ipc3-control.c b/sound/soc/sof/ipc3-control.c
index 2b1befad6d5c0d6ef1ffdbeba14a9546bfa7d7ef..23b0ae3ad41463e316ab1a143ed6d0b144f91728 100644 (file)
--- a/sound/soc/sof/ipc3-control.c
+++ b/sound/soc/sof/ipc3-control.c
@@ -626,16 +626,28 @@ static void sof_ipc3_control_update(struct snd_sof_dev *sdev, void *ipc_control_
                return;
        }
 
-       expected_size = sizeof(struct sof_ipc_ctrl_data);
        switch (cdata->type) {
        case SOF_CTRL_TYPE_VALUE_CHAN_GET:
        case SOF_CTRL_TYPE_VALUE_CHAN_SET:
-               expected_size += cdata->num_elems *
-                                sizeof(struct sof_ipc_ctrl_value_chan);
+               if (check_mul_overflow((size_t)cdata->num_elems,
+                                      sizeof(struct sof_ipc_ctrl_value_chan),
+                                      &expected_size))
+                       return;
+               if (check_add_overflow(expected_size,
+                                      sizeof(struct sof_ipc_ctrl_data),
+                                      &expected_size))
+                       return;
                break;
        case SOF_CTRL_TYPE_DATA_GET:
        case SOF_CTRL_TYPE_DATA_SET:
-               expected_size += cdata->num_elems + sizeof(struct sof_abi_hdr);
+               if (check_add_overflow((size_t)cdata->num_elems,
+                                      sizeof(struct sof_abi_hdr),
+                                      &expected_size))
+                       return;
+               if (check_add_overflow(expected_size,
+                                      sizeof(struct sof_ipc_ctrl_data),
+                                      &expected_size))
+                       return;
                break;
        default:
                return;