From 3331bcd6a2f2dbe9c1fa764df695422c99e2f1fb Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Date: Mon, 21 Sep 2020 14:08:10 +0300
Subject: [PATCH] ASoC: SOF: control: fix size checks for ext_bytes control
 .get()

cppcheck complains twice:

sound/soc/sof/control.c:436:2: style: Assignment of function parameter
has no effect outside the function. [uselessAssignmentArg]
 size -= sizeof(const struct snd_ctl_tlv);
 ^

sound/soc/sof/control.c:436:7: style: Variable 'size' is assigned a
value that is never used. [unreadVariable]
 size -= sizeof(const struct snd_ctl_tlv);

Somehow we dropped the checks for the size argument when upstreaming
the code, somewhere between v5 and v6.

Re-add a size check to avoid providing userspace with more data that
it asked for.

Also fix all error codes, we should return -ENOSPC instead of -EINVAL.

Fixes: c3078f5397046 ('ASoC: SOF: Add Sound Open Firmware KControl support')
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://lore.kernel.org/r/20200921110814.2910477-2-kai.vehmanen@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/sof/control.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/sound/soc/sof/control.c b/sound/soc/sof/control.c
index 58f8c99..8d499d0 100644
--- a/sound/soc/sof/control.c
+++ b/sound/soc/sof/control.c
@@ -432,7 +432,9 @@ int snd_sof_bytes_ext_get(struct snd_kcontrol *kcontrol,
 	 * Decrement the limit by ext bytes header size to
 	 * ensure the user space buffer is not exceeded.
 	 */
-	size -= sizeof(const struct snd_ctl_tlv);
+	if (size < sizeof(struct snd_ctl_tlv))
+		return -ENOSPC;
+	size -= sizeof(struct snd_ctl_tlv);
 
 	/* set the ABI header values */
 	cdata->data->magic = SOF_ABI_MAGIC;
@@ -448,6 +450,10 @@ int snd_sof_bytes_ext_get(struct snd_kcontrol *kcontrol,
 
 	data_size = cdata->data->size + sizeof(const struct sof_abi_hdr);
 
+	/* make sure we don't exceed size provided by user space for data */
+	if (data_size > size)
+		return -ENOSPC;
+
 	header.numid = scontrol->cmd;
 	header.length = data_size;
 	if (copy_to_user(tlvd, &header, sizeof(const struct snd_ctl_tlv)))
-- 
2.7.4