CVE-2025-21870

Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alhdata is attached, which could lead to NULL pointer dereference. We could check for this NULL pointer in sofipc4preparecopiermodule() and avoid the crash, but a similar loop in sofipc4widgetsetupcompdai() will miscalculate the ALH device count, causing broken audio.

The correct fix is to harden the matching logic by making sure that the 1. widget is a DAI widget - so dai = w->private is valid 2. the dai (and thus the copier) is ALH copier

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a150345aa758492e05d2934f318ce7c2566b1cfe

Fixed

87c8768a96092ce75cd47fe076db5080db7ac515

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a150345aa758492e05d2934f318ce7c2566b1cfe

Fixed

93c6c2e5801aab09ef1ef99f248f3cd323c3f152

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a150345aa758492e05d2934f318ce7c2566b1cfe

Fixed

6fd60136d256b3b948333ebdb3835f41a95ab7ef

Affected versions

v5.*

v5.19

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.2

v6.13.3

v6.13.4

v6.14-rc1

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 3084.0,
            "function_hash": "115076915775455276163687502976246767387"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87c8768a96092ce75cd47fe076db5080db7ac515",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c",
            "function": "sof_ipc4_widget_setup_comp_dai"
        },
        "id": "CVE-2025-21870-18cbee21"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 7264.0,
            "function_hash": "127552442688055662672609317173948693747"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@93c6c2e5801aab09ef1ef99f248f3cd323c3f152",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c",
            "function": "sof_ipc4_prepare_copier_module"
        },
        "id": "CVE-2025-21870-20af5b6f"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 3074.0,
            "function_hash": "331938341934255077007147443416538335841"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6fd60136d256b3b948333ebdb3835f41a95ab7ef",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c",
            "function": "sof_ipc4_widget_setup_comp_dai"
        },
        "id": "CVE-2025-21870-2278b70a"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 3074.0,
            "function_hash": "331938341934255077007147443416538335841"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@93c6c2e5801aab09ef1ef99f248f3cd323c3f152",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c",
            "function": "sof_ipc4_widget_setup_comp_dai"
        },
        "id": "CVE-2025-21870-29c84ce7"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "288681470394676775474125222039068243045",
                "270012802351597690393557217221949720351",
                "217384432190477854620331545279492470544",
                "87184321897154613454382126071442128105",
                "129096024655215825871337576216637757416",
                "241703922269031380824025328190695475140",
                "236625986055588894849944952304508635265",
                "245285358781856066731375714659421559031",
                "86308231574354931360881574530149612554",
                "96112410694297461369881985549518747771",
                "39690732643588960044166337213991104755",
                "54671803068893921730379095013420335291",
                "40909832622757656948671230591910316636"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87c8768a96092ce75cd47fe076db5080db7ac515",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c"
        },
        "id": "CVE-2025-21870-5a92244d"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 7264.0,
            "function_hash": "127552442688055662672609317173948693747"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6fd60136d256b3b948333ebdb3835f41a95ab7ef",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c",
            "function": "sof_ipc4_prepare_copier_module"
        },
        "id": "CVE-2025-21870-c3654fec"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "288681470394676775474125222039068243045",
                "270012802351597690393557217221949720351",
                "217384432190477854620331545279492470544",
                "87184321897154613454382126071442128105",
                "129096024655215825871337576216637757416",
                "241703922269031380824025328190695475140",
                "236625986055588894849944952304508635265",
                "245285358781856066731375714659421559031",
                "86308231574354931360881574530149612554",
                "96112410694297461369881985549518747771",
                "39690732643588960044166337213991104755",
                "54671803068893921730379095013420335291",
                "40909832622757656948671230591910316636"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6fd60136d256b3b948333ebdb3835f41a95ab7ef",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c"
        },
        "id": "CVE-2025-21870-cc9c318d"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 7589.0,
            "function_hash": "139722989669898067123439698892744288761"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87c8768a96092ce75cd47fe076db5080db7ac515",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c",
            "function": "sof_ipc4_prepare_copier_module"
        },
        "id": "CVE-2025-21870-d49a6ccc"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "288681470394676775474125222039068243045",
                "270012802351597690393557217221949720351",
                "217384432190477854620331545279492470544",
                "87184321897154613454382126071442128105",
                "129096024655215825871337576216637757416",
                "241703922269031380824025328190695475140",
                "236625986055588894849944952304508635265",
                "245285358781856066731375714659421559031",
                "86308231574354931360881574530149612554",
                "96112410694297461369881985549518747771",
                "39690732643588960044166337213991104755",
                "54671803068893921730379095013420335291",
                "40909832622757656948671230591910316636"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@93c6c2e5801aab09ef1ef99f248f3cd323c3f152",
        "target": {
            "file": "sound/soc/sof/ipc4-topology.c"
        },
        "id": "CVE-2025-21870-ffea46ca"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.12.17

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.5