@@ -76,12 +76,17 @@ static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file,
struct sof_client_dev *cdev = file->private_data;
struct sof_msg_inject_priv *priv = cdev->data;
struct sof_ipc4_msg *ipc4_msg = priv->rx_buffer;
+ size_t header_size = sizeof(ipc4_msg->header_u64);
size_t remaining;
if (!ipc4_msg->header_u64 || !count || *ppos)
return 0;
- remaining = sizeof(ipc4_msg->header_u64);
+ /* we need space for the header at minimum (u64) */
+ if (count < header_size)
+ return -ENOSPC;
+
+ remaining = header_size;
/* Only get large config have payload */
if (SOF_IPC4_MSG_IS_MODULE_MSG(ipc4_msg->primary) &&
@@ -90,13 +95,15 @@ static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file,
if (count > remaining)
count = remaining;
+ else if (count < remaining)
+ remaining = count;
/* copy the header first */
- if (copy_to_user(buffer, &ipc4_msg->header_u64, sizeof(ipc4_msg->header_u64)))
+ if (copy_to_user(buffer, &ipc4_msg->header_u64, header_size))
return -EFAULT;
- *ppos += sizeof(ipc4_msg->header_u64);
- remaining -= sizeof(ipc4_msg->header_u64);
+ *ppos += header_size;
+ remaining -= header_size;
if (!remaining)
return count;
If user space provides smaller buffer than the IPC4 reply then it is possible that we corrupt user space memory since the IPC4 dfs_read function is not using the count directly in copy_to_user() due to the nature of an IPC4 message. Cap the remaining counter to make sure that we are not writing too much to the user space provided buffer. Add a check also to make sure that the buffer is at least the size of the IPC4 header. Fixes: 066c67624d8c: "ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages" Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> --- sound/soc/sof/sof-client-ipc-msg-injector.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)