ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control

PlaidCat · PlaidCat · commit 8bc673698179 · 2025-10-31T11:55:52.000-04:00
jira VULN-152896 jira VULN-152895 cve CVE-2025-39751 commit-author Lucy Thrun <lucy.thrun@digital-rabbithole.de> commit a409c60 The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte buffer if either string argument is too long. This triggers a compiler warning. Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent overflow. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/ Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de> Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit a409c60) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
@@ -4399,7 +4399,7 @@ static int add_tuning_control(struct hda_codec *codec,
 	}
 	knew.private_value =
 		HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);
-	sprintf(namestr, "%s %s Volume", name, dirstr[dir]);
+	snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]);
 	return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));
 }
 

Original file line number	Diff line number	Diff line change
`@@ -4399,7 +4399,7 @@ static int add_tuning_control(struct hda_codec *codec,`
`4399`	`4399`	`}`
`4400`	`4400`	`knew.private_value =`
`4401`	`4401`	`HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);`
`4402`		`- sprintf(namestr, "%s %s Volume", name, dirstr[dir]);`
	`4402`	`+ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]);`
`4403`	`4403`	`return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));`
`4404`	`4404`	`}`
`4405`	`4405`