ALSA: silence integer wrapping warning

This patch doesn't change runtime at all, it's just for kernel hardening. The "count" here comes from the user and on 32bit systems, it leads to integer wrapping when we pass it to compute_user_elem_size(): alloc_size = compute_user_elem_size(private_size, count); However, the integer over is harmless because later "count" is checked when we pass it to snd_ctl_new(): err = snd_ctl_new(&kctl, count, access, file); These days as part of kernel hardening we're trying to avoid integer overflows when they affect size_t type. So to avoid the integer overflow copy the check from snd_ctl_new() and do it at the start of the snd_ctl_elem_add() function as well. Signed-off-by: Dan Carpenter <[email protected]> Reviewed-by: Jaroslav Kysela <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Takashi Iwai <[email protected]>
author: Dan Carpenter <[email protected]> 2024-09-30 10:19:58 +0300
committer: Takashi Iwai <[email protected]> 2024-10-01 14:56:40 +0200
commit: a04dae6fa4fc56c6a29cd40e133ef6a77f2c7e4e (patch)
tree: aef6688bd2d893308683903060ad837e3db27b65
parent: 8a193d8e351d185d75186bf0bdfa979e19d8fba8 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/sound/core/control.c b/sound/core/control.c
index 4f55f64c42e1..82b9d14f4ee3 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1641,6 +1641,8 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
 	count = info->owner;
 	if (count == 0)
 		count = 1;
+	if (count > MAX_CONTROL_COUNT)
+		return -EINVAL;
 
 	/* Arrange access permissions if needed. */
 	access = info->access;
author	Dan Carpenter <[email protected]>	2024-09-30 10:19:58 +0300
committer	Takashi Iwai <[email protected]>	2024-10-01 14:56:40 +0200
commit	a04dae6fa4fc56c6a29cd40e133ef6a77f2c7e4e (patch)
tree	aef6688bd2d893308683903060ad837e3db27b65
parent	8a193d8e351d185d75186bf0bdfa979e19d8fba8 (diff)