| Message ID | 20230222144412.237832-2-krzysztof.kozlowski@linaro.org |
|---|---|
| State | Accepted |
| Commit | 2367e0ecb498764e95cfda691ff0828f7d25f9a4 |
| Headers | show |
| Series | None | expand |
On 22/02/2023 14:44, Krzysztof Kozlowski wrote: > There are two issues related to the number of ports coming from > Devicetree when exceeding in total QCOM_SDW_MAX_PORTS. Both lead to > incorrect memory accesses: > 1. With DTS having too big value of input or output ports, the driver, > when copying port parameters from local/stack arrays into 'pconfig' > array in 'struct qcom_swrm_ctrl', will iterate over their sizes. > > 2. If DTS also has too many parameters for these ports (e.g. > qcom,ports-sinterval-low), the driver will overflow buffers on the > stack when reading these properties from DTS. > > Add a sanity check so incorrect DTS will not cause kernel memory > corruption. > > Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> > --- Thanks Krzysztof, it make sense. Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> --srini > drivers/soundwire/qcom.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c > index 79bebcecde6d..c296e0bf897b 100644 > --- a/drivers/soundwire/qcom.c > +++ b/drivers/soundwire/qcom.c > @@ -1218,6 +1218,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl) > ctrl->num_dout_ports = val; > > nports = ctrl->num_dout_ports + ctrl->num_din_ports; > + if (nports > QCOM_SDW_MAX_PORTS) > + return -EINVAL; > + > /* Valid port numbers are from 1-14, so mask out port 0 explicitly */ > set_bit(0, &ctrl->dout_port_mask); > set_bit(0, &ctrl->din_port_mask);
diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c index 79bebcecde6d..c296e0bf897b 100644 --- a/drivers/soundwire/qcom.c +++ b/drivers/soundwire/qcom.c @@ -1218,6 +1218,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl) ctrl->num_dout_ports = val; nports = ctrl->num_dout_ports + ctrl->num_din_ports; + if (nports > QCOM_SDW_MAX_PORTS) + return -EINVAL; + /* Valid port numbers are from 1-14, so mask out port 0 explicitly */ set_bit(0, &ctrl->dout_port_mask); set_bit(0, &ctrl->din_port_mask);
There are two issues related to the number of ports coming from Devicetree when exceeding in total QCOM_SDW_MAX_PORTS. Both lead to incorrect memory accesses: 1. With DTS having too big value of input or output ports, the driver, when copying port parameters from local/stack arrays into 'pconfig' array in 'struct qcom_swrm_ctrl', will iterate over their sizes. 2. If DTS also has too many parameters for these ports (e.g. qcom,ports-sinterval-low), the driver will overflow buffers on the stack when reading these properties from DTS. Add a sanity check so incorrect DTS will not cause kernel memory corruption. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> --- drivers/soundwire/qcom.c | 3 +++ 1 file changed, 3 insertions(+)