CVE-2023-53788

Summary

In the Linux kernel, the following vulnerability has been resolved:

ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()

tuning_ctl_set() might have buffer overrun at (X) if it didn't break from loop by matching (A).

static int tuning_ctl_set(...)
{
	for (i = 0; i < TUNING_CTLS_COUNT; i++)

(A) if (nid == ca0132_tuning_ctls[i].nid) break;

	snd_hda_power_up(...);

(X) dspio_set_param(…, ca0132_tuning_ctls[i].mid, …); snd_hda_power_down(…); ^

	return 1;
}

We will get below error by cppcheck

sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
 for (i = 0; i < TUNING_CTLS_COUNT; i++)
 ^
sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
 dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
                                           ^

This patch cares non match case.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux44f0c9782cc6ab71ea947f8f710a46f2078a151c < ff5e8b49348f6a550c136b74efaf8b3c1d3ceaeaaffected
LinuxLinux44f0c9782cc6ab71ea947f8f710a46f2078a151c < 3590498117a11aa1f92a97e8a04d95320e347ebdaffected
LinuxLinux44f0c9782cc6ab71ea947f8f710a46f2078a151c < 7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99affected
LinuxLinux44f0c9782cc6ab71ea947f8f710a46f2078a151c < baef27176ea5fdc7ad0947e2dc7733855e35db71affected
LinuxLinux44f0c9782cc6ab71ea947f8f710a46f2078a151c < d23f65f08247068576a01e28b297e995b7dc3965affected
LinuxLinux44f0c9782cc6ab71ea947f8f710a46f2078a151c < 32854bc91ae7debcdefdc7ae881ed83385a04792affected
LinuxLinux44f0c9782cc6ab71ea947f8f710a46f2078a151c < 734a3deb6614e3597e7e9ef7fb6006c593c5ee18affected
LinuxLinux44f0c9782cc6ab71ea947f8f710a46f2078a151c < 98e5eb110095ec77cb6d775051d181edbf9cd3cfaffected
LinuxLinux3.9affected
LinuxLinux0 < 3.9unaffected
LinuxLinux4.14.312 <= 4.14.*unaffected
LinuxLinux4.19.280 <= 4.19.*unaffected
LinuxLinux5.4.240 <= 5.4.*unaffected
LinuxLinux5.10.177 <= 5.10.*unaffected
LinuxLinux5.15.106 <= 5.15.*unaffected
LinuxLinux6.1.23 <= 6.1.*unaffected
LinuxLinux6.2.10 <= 6.2.*unaffected
LinuxLinux6.3 <= *unaffected

Weaknesses

References