Message-ID:
 <SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com>
Date: Tue, 09 Dec 2025 13:16:41 +0800
From: Junrui Luo <moonafterrain@...look.com>
To: Clemens Ladisch <clemens@...isch.de>, 
 Takashi Sakamoto <o-takashi@...amocchi.jp>, 
 Jaroslav Kysela <perex@...ex.cz>, Takashi Iwai <tiwai@...e.com>
Cc: Takashi Iwai <tiwai@...e.de>, linux-sound@...r.kernel.org, 
 linux-kernel@...r.kernel.org, Junrui Luo <moonafterrain@...look.com>
Subject: [PATCH] ALSA: firewire-motu: add bounds check in put_user loop for
 DSP events

In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.

Fix by adding a bounds check before put_user().

Suggested-by: Takashi Iwai <tiwai@...e.de>
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Signed-off-by: Junrui Luo <moonafterrain@...look.com>
---
 sound/firewire/motu/motu-hwdep.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c
index 6675b23aad69..89dc436a0652 100644
--- a/sound/firewire/motu/motu-hwdep.c
+++ b/sound/firewire/motu/motu-hwdep.c
@@ -75,7 +75,7 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
 		while (consumed < count &&
 		       snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) {
 			ptr = (u32 __user *)(buf + consumed);
-			if (put_user(ev, ptr))
+			if (consumed + sizeof(ev) > count || put_user(ev, ptr))
 				return -EFAULT;
 			consumed += sizeof(ev);
 		}

---
base-commit: 210d77cca3d0494ed30a5c628b20c1d95fa04fb1
change-id: 20251209-fixes-28e18627cc79

Best regards,
-- 
Junrui Luo <moonafterrain@...look.com>

Powered by blists - more mailing lists