On Thu, 07 May 2026 16:28:30 +0200,
Cássio Gabriel wrote:
>
> virtio-snd control handling trusts the device-provided control type and
> value count returned by the device.
>
> That metadata is then used directly to index g_v2a_type_map[] in
> virtsnd_kctl_info(), and to size loops and memcpy() operations in
> virtsnd_kctl_get() and virtsnd_kctl_put() against fixed-size
> virtio_snd_ctl_value and snd_ctl_elem_value arrays.
>
> A buggy or malicious device can therefore trigger out-of-bounds access by
> advertising an invalid control type or an oversized value count.
>
> Validate control type and count once in virtsnd_kctl_parse_cfg(), before
> querying enumerated items or exposing the control to ALSA.
>
> Fixes: d6568e3de42d ("ALSA: virtio: add support for audio controls")
> Cc: [email protected]
> Signed-off-by: Cássio Gabriel <[email protected]>
Applied to for-next branch now. Thanks.
Takashi
