From: Mark Brown <broonie@kernel.org>
Date: Tue, 9 Jun 2026 17:41:15 +0000 (+0100)
Subject: ASoC: SOF: ipc3/ipc4-control: harden kcontrol payload handling
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f0b311829eb58e0a0541d356f651ba4399aa765;p=thirdparty%2Flinux.git

ASoC: SOF: ipc3/ipc4-control: harden kcontrol payload handling

Peter Ujfalusi <peter.ujfalusi@linux.intel.com> says:

This series hardens SOF kcontrol data paths for both IPC3 and IPC4 by
fixing size-handling bugs in put/get/update flows and tightening bounds
checks around firmware/user-provided payload lengths.

The changes include:

Fix TOCTOU-style size misuse in IPC3/IPC4 bytes put paths by validating and
using the incoming payload size.
Add notification/update payload size validation before parsing control data.
Use overflow-checked arithmetic when computing expected IPC3 control sizes.
Ensure update/copy bounds are validated against actual allocation limits.
Fix IPC3 bytes_ext bounds checks to account for struct header offset, closing
a heap overflow/over-read issue from unprivileged userspace TLV access.
Overall, the series makes control payload processing robust against malformed or
inconsistent sizes and prevents out-of-bounds accesses.

Link: https://patch.msgid.link/20260609083458.31193-1-peter.ujfalusi@linux.intel.com
---

9f0b311829eb58e0a0541d356f651ba4399aa765