ASoC: SOF: ipc3-dtrace: fix potential integer overflow in allocation

samasth-norway · broonie · commit ce2335cd14b6 · 2025-09-18T22:26:31.000+01:00
Fix a potential integer overflow vulnerability in trace_filter_parse() where the allocation size calculation could overflow. The issue occurs when: 1. capacity is calculated by adding TRACE_FILTER_ELEMENTS_PER_ENTRY in a loop for each entry found in the input string. 2. capacity * sizeof(**out) multiplication could overflow if many entries are present in the input. 3. This results in a smaller allocation than expected, leading to potential buffer overflow. Replace kmalloc() with kmalloc_array() which provides built-in overflow checking and will safely fail the allocation if overflow would occur, preventing memory corruption. Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> Link: https://patch.msgid.link/20250909225111.3740029-1-samasth.norway.ananda@oracle.com Signed-off-by: Mark Brown <broonie@kernel.org>
diff --git a/sound/soc/sof/ipc3-dtrace.c b/sound/soc/sof/ipc3-dtrace.c
@@ -126,7 +126,7 @@ static int trace_filter_parse(struct snd_sof_dev *sdev, char *string,
 		capacity += TRACE_FILTER_ELEMENTS_PER_ENTRY;
 		entry = strchr(entry + 1, entry_delimiter[0]);
 	}
-	*out = kmalloc(capacity * sizeof(**out), GFP_KERNEL);
+	*out = kmalloc_array(capacity, sizeof(**out), GFP_KERNEL);
 	if (!*out)
 		return -ENOMEM;
 

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ static int trace_filter_parse(struct snd_sof_dev sdev, char string,`
`126`	`126`	`capacity += TRACE_FILTER_ELEMENTS_PER_ENTRY;`
`127`	`127`	`entry = strchr(entry + 1, entry_delimiter[0]);`
`128`	`128`	`}`
`129`		`- out = kmalloc(capacity sizeof(**out), GFP_KERNEL);`
	`129`	`+ out = kmalloc_array(capacity, sizeof(*out), GFP_KERNEL);`
`130`	`130`	`if (!*out)`
`131`	`131`	`return -ENOMEM;`
`132`	`132`