CVE-2024-46793

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder<br /> <br /> Since commit 13f58267cda3 ("ASoC: soc.h: don&amp;#39;t create dummy Component<br /> via COMP_DUMMY()") dummy codecs declared like this:<br /> <br /> SND_SOC_DAILINK_DEF(dummy,<br /> DAILINK_COMP_ARRAY(COMP_DUMMY()));<br /> <br /> expand to:<br /> <br /> static struct snd_soc_dai_link_component dummy[] = {<br /> };<br /> <br /> Which means that dummy is a zero sized array and thus dais[i].codecs should<br /> not be dereferenced *at all* since it points to the address of the next<br /> variable stored in the data section as the "dummy" variable has an address<br /> but no size, so even dereferencing dais[0] is already an out of bounds<br /> array reference.<br /> <br /> Which means that the if (dais[i].codecs-&gt;name) check added in<br /> commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref<br /> in BYT/CHT boards") relies on that the part of the next variable which<br /> the name member maps to just happens to be NULL.<br /> <br /> Which apparently so far it usually is, except when it isn&amp;#39;t<br /> and then it results in crashes like this one:<br /> <br /> [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011<br /> ...<br /> [ 28.795780] Call Trace:<br /> [ 28.795787] <br /> ...<br /> [ 28.795862] ? strcmp+0x18/0x40<br /> [ 28.795872] 0xffffffffc150c605<br /> [ 28.795887] platform_probe+0x40/0xa0<br /> ...<br /> [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]<br /> <br /> Really fix things this time around by checking dais.num_codecs != 0.