Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone.
Product status
8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4 (git) before 708f6ec9bcdf58bfd561409110baaf4fd3be4ea3
8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4 (git) before bfcbb4994da9e979c4bcfcf24aaaac69e457e48e
8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4 (git) before a470f7cabc4df72d9bd132f5719a8717292bb440
8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4 (git) before 1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0
8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4 (git) before 8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e
8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4 (git) before 654c818a69c21d2bea4e8fd9eae7da865df9a5c8
8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4 (git) before 82012fd3e78a14360fbc2f1a7491589896704f97
8d448162bda5ae3b5ecb26fe50c8fbbeae99faa4 (git) before e0da8a8cac74f4b9f577979d131f0d2b88a84487
3.2
Any version before 3.2
5.10.258 (semver)
5.15.209 (semver)
6.1.175 (semver)
6.6.140 (semver)
6.12.86 (semver)
6.18.27 (semver)
7.0.4 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/708f6ec9bcdf58bfd561409110baaf4fd3be4ea3
git.kernel.org/...c/bfcbb4994da9e979c4bcfcf24aaaac69e457e48e
git.kernel.org/...c/a470f7cabc4df72d9bd132f5719a8717292bb440
git.kernel.org/...c/1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0
git.kernel.org/...c/8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e
git.kernel.org/...c/654c818a69c21d2bea4e8fd9eae7da865df9a5c8
git.kernel.org/...c/82012fd3e78a14360fbc2f1a7491589896704f97
git.kernel.org/...c/e0da8a8cac74f4b9f577979d131f0d2b88a84487