ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control

bmastbergen · bmastbergen · commit 6042ea9b9cf2 · 2025-11-19T20:07:53.000-05:00
jira VULN-152893 cve CVE-2025-39751 commit-author Lucy Thrun <lucy.thrun@digital-rabbithole.de> commit a409c60 The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte buffer if either string argument is too long. This triggers a compiler warning. Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent overflow. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/ Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de> Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit a409c60) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
@@ -4017,7 +4017,7 @@ static int add_tuning_control(struct hda_codec *codec,
 	}
 	knew.private_value =
 		HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);
-	sprintf(namestr, "%s %s Volume", name, dirstr[dir]);
+	snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]);
 	return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));
 }
 

Original file line number	Diff line number	Diff line change
`@@ -4017,7 +4017,7 @@ static int add_tuning_control(struct hda_codec *codec,`
`4017`	`4017`	`}`
`4018`	`4018`	`knew.private_value =`
`4019`	`4019`	`HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);`
`4020`		`- sprintf(namestr, "%s %s Volume", name, dirstr[dir]);`
	`4020`	`+ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]);`
`4021`	`4021`	`return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));`
`4022`	`4022`	`}`
`4023`	`4023`