github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-25 07:33:19 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
v6.15
linux/sound/soc
History
Tavian Barnes 7dd7f39fce
ASoC: SOF: Intel: hda: Fix UAF when reloading module 
hda_generic_machine_select() appends -idisp to the tplg filename by
allocating a new string with devm_kasprintf(), then stores the string
right back into the global variable snd_soc_acpi_intel_hda_machines.
When the module is unloaded, this memory is freed, resulting in a global
variable pointing to freed memory.  Reloading the module then triggers
a use-after-free:

BUG: KFENCE: use-after-free read in string+0x48/0xe0

Use-after-free read at 0x00000000967e0109 (in kfence-#99):
 string+0x48/0xe0
 vsnprintf+0x329/0x6e0
 devm_kvasprintf+0x54/0xb0
 devm_kasprintf+0x58/0x80
 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic]
 sof_probe_work+0x7f/0x600 [snd_sof]
 process_one_work+0x17b/0x330
 worker_thread+0x2ce/0x3f0
 kthread+0xcf/0x100
 ret_from_fork+0x31/0x50
 ret_from_fork_asm+0x1a/0x30

kfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64

allocated by task 333 on cpu 8 at 17.798069s (130.453553s ago):
 devm_kmalloc+0x52/0x120
 devm_kvasprintf+0x66/0xb0
 devm_kasprintf+0x58/0x80
 hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic]
 sof_probe_work+0x7f/0x600 [snd_sof]
 process_one_work+0x17b/0x330
 worker_thread+0x2ce/0x3f0
 kthread+0xcf/0x100
 ret_from_fork+0x31/0x50
 ret_from_fork_asm+0x1a/0x30

freed by task 1543 on cpu 4 at 141.586686s (6.665010s ago):
 release_nodes+0x43/0xb0
 devres_release_all+0x90/0xf0
 device_unbind_cleanup+0xe/0x70
 device_release_driver_internal+0x1c1/0x200
 driver_detach+0x48/0x90
 bus_remove_driver+0x6d/0xf0
 pci_unregister_driver+0x42/0xb0
 __do_sys_delete_module+0x1d1/0x310
 do_syscall_64+0x82/0x190
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Fix it by copying the match array with devm_kmemdup_array() before we
modify it.

Fixes: 5458411d75 ("ASoC: SOF: Intel: hda: refactoring topology name fixup for HDA mach")
Suggested-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Signed-off-by: Tavian Barnes <tavianator@tavianator.com>
Link: https://patch.msgid.link/570b15570b274520a0d9052f4e0f064a29c950ef.1747229716.git.tavianator@tavianator.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2025-05-14 16:34:48 +02:00
..
adi ASoC: Switch back to struct platform_driver::remove() 2024-09-09 18:26:49 +01:00
amd ASoC: amd: ps: fix for irq handler return status 2025-05-01 08:22:36 +09:00
apple ASoC: apple: Fix the wrong format specifier 2024-11-21 14:03:18 +00:00
atmel ASoC: atmel: tse850-pcm5142: Use SOC_SINGLE_EXT() helper macro 2025-03-03 18:14:53 +00:00
au1x ASoC: au1x: Convert to DEFINE_SIMPLE_DEV_PM_OPS() 2025-03-17 10:13:47 +00:00
bcm ASoC: bcm63xx-pcm-whistler: fix uninit-value in i2s_dma_isr 2024-11-05 12:53:28 +00:00
cirrus soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
codecs ASoC: cs42l43: Disable headphone clamps during type detection 2025-04-23 12:42:28 +01:00
dwc ASoC: dwc: always enable/disable i2s irqs 2025-04-06 23:18:15 +01:00
fsl ASoC: imx-card: Adjust over allocation of memory in imx_card_parse_of() 2025-04-13 20:20:36 +01:00
generic ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction 2025-05-01 08:22:35 +09:00
google ASoC: google: fix module autoloading 2024-08-26 15:52:07 +01:00
hisilicon
img ASoC: img: Convert to RUNTIME_PM_OPS() and co 2025-03-17 10:14:40 +00:00
intel ASoC: Intel: catpt: avoid type mismatch in dev_dbg() format 2025-04-30 09:38:11 +09:00
jz4740 ASoC: jz4740: Use *-y instead of *-objs in Makefile 2024-05-08 11:39:21 +09:00
kirkwood ASoC: kirkwood: use inclusive language for SND_SOC_DAIFMT_CBx_CFx 2025-02-25 13:19:20 +00:00
loongson ASoC: loongson: make loongson-i2s.o a separate module 2024-10-17 12:13:10 +01:00
mediatek ASoC: mediatek: mt8188-mt6359: Depend on MT6359_ACCDET set or disabled 2025-05-08 23:12:29 +09:00
meson ASoC: meson: meson-card-utils: use inclusive language for SND_SOC_DAIFMT_CBx_CFx 2025-03-03 12:58:54 +00:00
mxs ASoC: mxs: use inclusive language for SND_SOC_DAIFMT_CBx_CFx 2025-03-03 12:57:19 +00:00
pxa ASoC: pxa: use inclusive language for SND_SOC_DAIFMT_CBx_CFx 2025-03-03 12:57:20 +00:00
qcom ASoC: qcom: Fix sc7280 lpass potential buffer overflow 2025-04-06 23:18:17 +01:00
renesas ASoC: renesas: rz-ssi: Use NOIRQ_SYSTEM_SLEEP_PM_OPS() 2025-04-24 12:51:46 +01:00
rockchip ASoC: rockchip: Convert to RUNTIME_PM_OPS() & co 2025-03-17 10:14:53 +00:00
samsung ASoC: samsung: Convert to RUNTIME_PM_OPS() & co 2025-03-17 10:14:54 +00:00
sdca ASoC: SDCA: Correct handling of selected mode DisCo property 2025-03-21 15:45:25 +00:00
sdw_utils ASoC: intel/sdw_utils: Add volume limit to cs35l56 speakers 2025-05-01 08:22:06 +09:00
sof ASoC: SOF: Intel: hda: Fix UAF when reloading module 2025-05-14 16:34:48 +02:00
spear ASoC: spear: Use *-y instead of *-objs in Makefile 2024-05-08 11:39:31 +09:00
sprd ASoC: Switch back to struct platform_driver::remove() 2024-09-09 18:26:49 +01:00
starfive ASoC: Switch back to struct platform_driver::remove() 2024-09-09 18:26:49 +01:00
sti ASoC: sti: add missing probe entry for player and reader 2024-07-29 13:36:56 +01:00
stm ASoC: stm32: sai: add a check on minimal kernel frequency 2025-05-01 08:06:43 +09:00
sunxi ASoC: sunxi: Convert to RUNTIME_PM_OPS() 2025-03-17 10:14:59 +00:00
tegra ASoC: Convert to modern PM macros 2025-03-17 21:12:54 +00:00
ti treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
uniphier ASoC: uniphier: use devm_kmemdup_array() 2025-02-28 14:01:01 +00:00
ux500 ASoC: ux500: use inclusive language for SND_SOC_DAIFMT_CBx_CFx 2025-03-03 12:58:53 +00:00
xilinx ASoC: xilinx: xlnx_spdif: Simpify using devm_clk_get_enabled() 2025-01-16 15:20:41 +00:00
xtensa ASoC: xtensa: Convert to RUNTIME_PM_OPS() 2025-03-17 10:15:03 +00:00
Kconfig ASoC: ops-test: Add some basic kunit tests for soc-ops 2025-03-19 12:47:57 +00:00
Makefile ASoC: ops-test: Add some basic kunit tests for soc-ops 2025-03-19 12:47:57 +00:00
soc-ac97.c ASoC: soc-ac97: Fix the incorrect description 2024-09-10 12:40:24 +01:00
soc-acpi.c ASoC/soundwire: remove sdw_slave_extended_id 2024-10-17 18:42:10 +01:00
soc-card-test.c ASoC: Drop snd_soc_*_get_kcontrol_locked() 2024-08-09 14:24:55 +02:00
soc-card.c ASoC: add common snd_soc_ret() and use it 2025-02-06 17:26:18 +00:00
soc-component.c ASoC: add common snd_soc_ret() and use it 2025-02-06 17:26:18 +00:00
soc-compress.c ASoC: remove dpcm_process_paths() 2025-02-16 23:51:06 +00:00
soc-core.c ASoC: soc-core: Use str_yes_no() in snd_soc_close_delayed_work() 2025-02-20 12:52:04 +00:00
soc-dai.c ASoC: soc-dai: add snd_soc_dai_mute_is_ctrled_at_trigger() 2025-03-06 15:38:44 +00:00
soc-dapm.c ASoC: remove update from snd_soc_card 2025-02-16 23:51:05 +00:00
soc-devres.c ASoC: soc-devres: Remove unused devm_snd_soc_register_dai 2024-10-28 12:23:27 +00:00
soc-generic-dmaengine-pcm.c ALSA: dmaengine: Synchronize dma channel after drop() 2024-06-11 17:13:31 +01:00
soc-jack.c
soc-link.c ASoC: add common snd_soc_ret() and use it 2025-02-06 17:26:18 +00:00
soc-ops-test.c ASoC: ops-test: Add some basic kunit tests for soc-ops 2025-03-19 12:47:57 +00:00
soc-ops.c ASoC: ops: Apply platform_max after deciding control type 2025-03-19 17:56:36 +00:00
soc-pcm.c ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence 2025-04-13 20:20:37 +01:00
soc-topology-test.c ASoC: soc-topology: remove dpcm_xxx flags 2024-10-23 13:02:02 +01:00
soc-topology.c ASoC: ops: Remove snd_soc_put_volsw_range() 2025-03-19 12:48:05 +00:00
soc-utils-test.c
soc-utils.c ASoC: soc-utils: Transition to the faux device interface 2025-03-17 16:25:51 +00:00