From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 11 Feb 2023 11:30:53 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v6.1.12~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ad53d17053c0dde32dd8748b8336a6bc95e1ab9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	alsa-emux-avoid-potential-array-out-of-bound-in-snd_emux_xg_control.patch
---

diff --git a/queue-4.19/alsa-emux-avoid-potential-array-out-of-bound-in-snd_emux_xg_control.patch b/queue-4.19/alsa-emux-avoid-potential-array-out-of-bound-in-snd_emux_xg_control.patch
new file mode 100644
index 00000000000..65dd5debc9a
--- /dev/null
+++ b/queue-4.19/alsa-emux-avoid-potential-array-out-of-bound-in-snd_emux_xg_control.patch
@@ -0,0 +1,37 @@
+From 6a32425f953b955b4ff82f339d01df0b713caa5d Mon Sep 17 00:00:00 2001
+From: Artemii Karasev <karasev@ispras.ru>
+Date: Tue, 7 Feb 2023 18:20:26 +0500
+Subject: ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control()
+
+From: Artemii Karasev <karasev@ispras.ru>
+
+commit 6a32425f953b955b4ff82f339d01df0b713caa5d upstream.
+
+snd_emux_xg_control() can be called with an argument 'param' greater
+than size of 'control' array. It may lead to accessing 'control'
+array at a wrong index.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Artemii Karasev <karasev@ispras.ru>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230207132026.2870-1-karasev@ispras.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/synth/emux/emux_nrpn.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/synth/emux/emux_nrpn.c
++++ b/sound/synth/emux/emux_nrpn.c
+@@ -363,6 +363,9 @@ int
+ snd_emux_xg_control(struct snd_emux_port *port, struct snd_midi_channel *chan,
+ 		    int param)
+ {
++	if (param >= ARRAY_SIZE(chan->control))
++		return -EINVAL;
++
+ 	return send_converted_effect(xg_effects, ARRAY_SIZE(xg_effects),
+ 				     port, chan, param,
+ 				     chan->control[param],
diff --git a/queue-4.19/series b/queue-4.19/series
index 66818a4e591..1c6ef8142c6 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -41,3 +41,4 @@ serial-8250_dma-fix-dma-rx-rearm-race.patch
 thermal-intel-int340x-add-locking-to-int340x_thermal_get_trip_type.patch
 iio-adc-twl6030-enable-measurement-of-vac.patch
 btrfs-limit-device-extents-to-the-device-size.patch
+alsa-emux-avoid-potential-array-out-of-bound-in-snd_emux_xg_control.patch