[v2,3/6] ALSA: control: Apply sanity check of input values for user elements

Although we have already a mechanism for sanity checks of input values
for control writes, it's not applied unless the kconfig
CONFIG_SND_CTL_INPUT_VALIDATION is set due to the performance reason.
Nevertheless, it still makes sense to apply the check for user
elements despite of its cost, as that's the only way to filter out the
invalid values; the user controls are handled solely in ALSA core
code, and there is no corresponding driver, after all.

This patch enables the input value validation for user control
elements no matter whether CONFIG_SND_CTL_INPUT_VALIDATION is set or
not.  The kselftest will be happier with this change, as the incorrect
values will be bailed out now with errors.

For other normal controls, the check is applied still only when
CONFIG_SND_CTL_INPUT_VALIDATION is set.

Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Closes: https://lore.kernel.org/r/1d44be36-9bb9-4d82-8953-5ae2a4f09405@molgen.mpg.de
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/control.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Hi,

On Fri, Jun 14, 2024 at 05:37:12PM +0200, Takashi Iwai wrote:
> Although we have already a mechanism for sanity checks of input values
> for control writes, it's not applied unless the kconfig
> CONFIG_SND_CTL_INPUT_VALIDATION is set due to the performance reason.
> Nevertheless, it still makes sense to apply the check for user
> elements despite of its cost, as that's the only way to filter out the
> invalid values; the user controls are handled solely in ALSA core
> code, and there is no corresponding driver, after all.
> 
> This patch enables the input value validation for user control
> elements no matter whether CONFIG_SND_CTL_INPUT_VALIDATION is set or
> not.  The kselftest will be happier with this change, as the incorrect
> values will be bailed out now with errors.
> 
> For other normal controls, the check is applied still only when
> CONFIG_SND_CTL_INPUT_VALIDATION is set.
> 
> Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
> Closes: https://lore.kernel.org/r/1d44be36-9bb9-4d82-8953-5ae2a4f09405@molgen.mpg.de
> Reviewed-by: Jaroslav Kysela <perex@perex.cz>
> Reviewed-by: Mark Brown <broonie@kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  sound/core/control.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/core/control.c b/sound/core/control.c
> index fb0c60044f7b..50890983d7e2 100644
> --- a/sound/core/control.c
> +++ b/sound/core/control.c
> @@ -1317,7 +1317,8 @@ static int snd_ctl_elem_write(struct snd_card *card, struct snd_ctl_file *file,
>  	snd_ctl_build_ioff(&control->id, kctl, index_offset);
>  	result = snd_power_ref_and_wait(card);
>  	/* validate input values */
> -	if (IS_ENABLED(CONFIG_SND_CTL_INPUT_VALIDATION) && !result) {
> +	if ((IS_ENABLED(CONFIG_SND_CTL_INPUT_VALIDATION) ||
> +	     (vd->access & SNDRV_CTL_ELEM_ACCESS_USER)) && !result) {
>  		struct snd_ctl_elem_info info;
>  
>  		memset(&info, 0, sizeof(info));

In my opinion, the validation in 'snd_ctl_elem_user_put()' is preferable
instead. In the function, it is free to access to 'struct
user_element.info' for the validation.

In the commit coment, I can see "that's the only way to filter out the
invalid values", however it not so good idea, since the ALSA control core
function loses transparency against control elements somehow.
Furthermore, I can see "there is no corresponding driver", however it is
suspicious somehow. It would be smart to charge the validation
implementation for user-defined control element set if forcing it.


Regards

Takashi Sakamoto

On Sat, 15 Jun 2024 07:13:29 +0200,
Takashi Sakamoto wrote:
> 
> Hi,
> 
> On Fri, Jun 14, 2024 at 05:37:12PM +0200, Takashi Iwai wrote:
> > Although we have already a mechanism for sanity checks of input values
> > for control writes, it's not applied unless the kconfig
> > CONFIG_SND_CTL_INPUT_VALIDATION is set due to the performance reason.
> > Nevertheless, it still makes sense to apply the check for user
> > elements despite of its cost, as that's the only way to filter out the
> > invalid values; the user controls are handled solely in ALSA core
> > code, and there is no corresponding driver, after all.
> > 
> > This patch enables the input value validation for user control
> > elements no matter whether CONFIG_SND_CTL_INPUT_VALIDATION is set or
> > not.  The kselftest will be happier with this change, as the incorrect
> > values will be bailed out now with errors.
> > 
> > For other normal controls, the check is applied still only when
> > CONFIG_SND_CTL_INPUT_VALIDATION is set.
> > 
> > Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
> > Closes: https://lore.kernel.org/r/1d44be36-9bb9-4d82-8953-5ae2a4f09405@molgen.mpg.de
> > Reviewed-by: Jaroslav Kysela <perex@perex.cz>
> > Reviewed-by: Mark Brown <broonie@kernel.org>
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > ---
> >  sound/core/control.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/sound/core/control.c b/sound/core/control.c
> > index fb0c60044f7b..50890983d7e2 100644
> > --- a/sound/core/control.c
> > +++ b/sound/core/control.c
> > @@ -1317,7 +1317,8 @@ static int snd_ctl_elem_write(struct snd_card *card, struct snd_ctl_file *file,
> >  	snd_ctl_build_ioff(&control->id, kctl, index_offset);
> >  	result = snd_power_ref_and_wait(card);
> >  	/* validate input values */
> > -	if (IS_ENABLED(CONFIG_SND_CTL_INPUT_VALIDATION) && !result) {
> > +	if ((IS_ENABLED(CONFIG_SND_CTL_INPUT_VALIDATION) ||
> > +	     (vd->access & SNDRV_CTL_ELEM_ACCESS_USER)) && !result) {
> >  		struct snd_ctl_elem_info info;
> >  
> >  		memset(&info, 0, sizeof(info));
> 
> In my opinion, the validation in 'snd_ctl_elem_user_put()' is preferable
> instead. In the function, it is free to access to 'struct
> user_element.info' for the validation.

Yeah, more optimization would be possible and we can do it later.
My patch achieves the purpose in the smallest change.

> In the commit coment, I can see "that's the only way to filter out the
> invalid values", however it not so good idea, since the ALSA control core
> function loses transparency against control elements somehow.

Transparency?  The sanity check of input values is done in each driver
side, hence some overhead is more or less always present, depending on
the implementation.

> Furthermore, I can see "there is no corresponding driver", however it is
> suspicious somehow. It would be smart to charge the validation
> implementation for user-defined control element set if forcing it.

The context there implies that, in the case of user elements, all
handled in sound/core/control.c, and there is no other dedicated
driver code handling the control put for those controls, hence
sound/core/control.c is the only place where we can address the
issue.


thanks,

Takashi

On Sat, Jun 15, 2024 at 09:28:50AM +0200, Takashi Iwai wrote:
> > In the commit coment, I can see "that's the only way to filter out the
> > invalid values", however it not so good idea, since the ALSA control core
> > function loses transparency against control elements somehow.
> 
> Transparency?  The sanity check of input values is done in each driver
> side, hence some overhead is more or less always present, depending on
> the implementation.
>
> > Furthermore, I can see "there is no corresponding driver", however it is
> > suspicious somehow. It would be smart to charge the validation
> > implementation for user-defined control element set if forcing it.
> 
> The context there implies that, in the case of user elements, all
> handled in sound/core/control.c, and there is no other dedicated
> driver code handling the control put for those controls, hence
> sound/core/control.c is the only place where we can address the
> issue.

If you can force the validation to _all_ of the existing drivers by any
kind of mechanism, it would be. Actually, not. We can have such driver
which handles the write request without such validation, and control core
allows it. The kernel configuration is to ease the detection of such
drivers (and applications) in application runtime. Therefore the
transparency would be lost by the patch.

Assuming that two control element exist in a sound card, which has the
same information and TLV response, except for the flag of
SNDRV_CTL_ELEM_ACCESS_USER. For the same value data, one operation with
SNDRV_CTL_IOCTL_ELEM_WRITE is successful, and another operation with
SNDRV_CTL_ELEM_ACCESS_USER is failed. When encountering this issue,
the programmer of the application suspect the bug pertaining to the latter
control, then the programmer find the latter has
SNDRV_CTL_ELEM_ACCESS_USER. Then the programmer would judge that 'I got
it, it is a bug of user-defined control element set' even if the program
includes the bug for min/max/step computation and the underlying sound
driver includes the bug not to validate value data.

The patch loses transparency in the above step. Without the patch, both
operations finish with the equivalent result.


Nevertheless, I think the validation is itself preferable. In my opinion,
the validation before/after the call of 'snd_kcontrol_put_t' would result
in the different argument. The 'validate-before-call' is the argument of
control core function, while 'validate-after-call is the argument of
implementation of user-defined element set. The patch should belong to the
latter to extend current implementation of user-defined element set.
Thus I suggest to put the validation into the put callback function,
regardless of the optimization to which you address.


Regards

Takashi Sakamoto

On Sat, 15 Jun 2024 10:02:35 +0200,
Takashi Sakamoto wrote:
> 
> On Sat, Jun 15, 2024 at 09:28:50AM +0200, Takashi Iwai wrote:
> > > In the commit coment, I can see "that's the only way to filter out the
> > > invalid values", however it not so good idea, since the ALSA control core
> > > function loses transparency against control elements somehow.
> > 
> > Transparency?  The sanity check of input values is done in each driver
> > side, hence some overhead is more or less always present, depending on
> > the implementation.
> >
> > > Furthermore, I can see "there is no corresponding driver", however it is
> > > suspicious somehow. It would be smart to charge the validation
> > > implementation for user-defined control element set if forcing it.
> > 
> > The context there implies that, in the case of user elements, all
> > handled in sound/core/control.c, and there is no other dedicated
> > driver code handling the control put for those controls, hence
> > sound/core/control.c is the only place where we can address the
> > issue.
> 
> If you can force the validation to _all_ of the existing drivers by any
> kind of mechanism, it would be. Actually, not. We can have such driver
> which handles the write request without such validation, and control core
> allows it. The kernel configuration is to ease the detection of such
> drivers (and applications) in application runtime. Therefore the
> transparency would be lost by the patch.

In principle, the validation should be done for *every* kcontrol.  The
lack of the validation was ignored so far with a naive assumption that
the driver treats properly nevertheless.  But since we're checking it
more strictly in kselftest, the problem became more obvious, and this
is a corresponding fix for user control element part.  HD-audio driver
had another issues and they are fixed in other patches of this
series.

> Assuming that two control element exist in a sound card, which has the
> same information and TLV response, except for the flag of
> SNDRV_CTL_ELEM_ACCESS_USER. For the same value data, one operation with
> SNDRV_CTL_IOCTL_ELEM_WRITE is successful, and another operation with
> SNDRV_CTL_ELEM_ACCESS_USER is failed. When encountering this issue,
> the programmer of the application suspect the bug pertaining to the latter
> control, then the programmer find the latter has
> SNDRV_CTL_ELEM_ACCESS_USER. Then the programmer would judge that 'I got
> it, it is a bug of user-defined control element set' even if the program
> includes the bug for min/max/step computation and the underlying sound
> driver includes the bug not to validate value data.

No, it's a wrong understanding, other way round: the driver must
validate the values by itself.

> The patch loses transparency in the above step. Without the patch, both
> operations finish with the equivalent result.
> 
> Nevertheless, I think the validation is itself preferable.

The validation is not "preferable" but rather "mandatory".

> In my opinion,
> the validation before/after the call of 'snd_kcontrol_put_t' would result
> in the different argument. The 'validate-before-call' is the argument of
> control core function, while 'validate-after-call is the argument of
> implementation of user-defined element set. The patch should belong to the
> latter to extend current implementation of user-defined element set.
> Thus I suggest to put the validation into the put callback function,
> regardless of the optimization to which you address.

I don't get the argument, sorry.
If you have a better point, please submit an incremental patch.


thanks,

Takashi

On Sat, 15 Jun 2024 10:30:10 +0200,
Takashi Iwai wrote:
> 
> On Sat, 15 Jun 2024 10:02:35 +0200,
> Takashi Sakamoto wrote:
> > 
> > On Sat, Jun 15, 2024 at 09:28:50AM +0200, Takashi Iwai wrote:
> > > > In the commit coment, I can see "that's the only way to filter out the
> > > > invalid values", however it not so good idea, since the ALSA control core
> > > > function loses transparency against control elements somehow.
> > > 
> > > Transparency?  The sanity check of input values is done in each driver
> > > side, hence some overhead is more or less always present, depending on
> > > the implementation.
> > >
> > > > Furthermore, I can see "there is no corresponding driver", however it is
> > > > suspicious somehow. It would be smart to charge the validation
> > > > implementation for user-defined control element set if forcing it.
> > > 
> > > The context there implies that, in the case of user elements, all
> > > handled in sound/core/control.c, and there is no other dedicated
> > > driver code handling the control put for those controls, hence
> > > sound/core/control.c is the only place where we can address the
> > > issue.
> > 
> > If you can force the validation to _all_ of the existing drivers by any
> > kind of mechanism, it would be. Actually, not. We can have such driver
> > which handles the write request without such validation, and control core
> > allows it. The kernel configuration is to ease the detection of such
> > drivers (and applications) in application runtime. Therefore the
> > transparency would be lost by the patch.
> 
> In principle, the validation should be done for *every* kcontrol.  The
> lack of the validation was ignored so far with a naive assumption that
> the driver treats properly nevertheless.  But since we're checking it
> more strictly in kselftest, the problem became more obvious, and this
> is a corresponding fix for user control element part.  HD-audio driver
> had another issues and they are fixed in other patches of this
> series.
> 
> > Assuming that two control element exist in a sound card, which has the
> > same information and TLV response, except for the flag of
> > SNDRV_CTL_ELEM_ACCESS_USER. For the same value data, one operation with
> > SNDRV_CTL_IOCTL_ELEM_WRITE is successful, and another operation with
> > SNDRV_CTL_ELEM_ACCESS_USER is failed. When encountering this issue,
> > the programmer of the application suspect the bug pertaining to the latter
> > control, then the programmer find the latter has
> > SNDRV_CTL_ELEM_ACCESS_USER. Then the programmer would judge that 'I got
> > it, it is a bug of user-defined control element set' even if the program
> > includes the bug for min/max/step computation and the underlying sound
> > driver includes the bug not to validate value data.
> 
> No, it's a wrong understanding, other way round: the driver must
> validate the values by itself.
> 
> > The patch loses transparency in the above step. Without the patch, both
> > operations finish with the equivalent result.
> > 
> > Nevertheless, I think the validation is itself preferable.
> 
> The validation is not "preferable" but rather "mandatory".
> 
> > In my opinion,
> > the validation before/after the call of 'snd_kcontrol_put_t' would result
> > in the different argument. The 'validate-before-call' is the argument of
> > control core function, while 'validate-after-call is the argument of
> > implementation of user-defined element set. The patch should belong to the
> > latter to extend current implementation of user-defined element set.
> > Thus I suggest to put the validation into the put callback function,
> > regardless of the optimization to which you address.
> 
> I don't get the argument, sorry.
> If you have a better point, please submit an incremental patch.

Or did you meant something like below?


Takashi

-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH v3] ALSA: control: Apply sanity check of input values for user elements

Although we have already a mechanism for sanity checks of input values
for control writes, it's not applied unless the kconfig
CONFIG_SND_CTL_INPUT_VALIDATION is set due to the performance reason.
Nevertheless, it still makes sense to apply the same check for user
elements despite of its cost, as that's the only way to filter out the
invalid values; the user controls are handled solely in ALSA core
code, and there is no corresponding driver, after all.

This patch adds the same input value validation for user control
elements at its put callback.  The kselftest will be happier with this
change, as the incorrect values will be bailed out now with errors.

For other normal controls, the check is applied still only when
CONFIG_SND_CTL_INPUT_VALIDATION is set.

Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Closes: https://lore.kernel.org/r/1d44be36-9bb9-4d82-8953-5ae2a4f09405@molgen.mpg.de
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/control.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sound/core/control.c b/sound/core/control.c
index fb0c60044f7b..1dd2337e2930 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1480,12 +1480,16 @@ static int snd_ctl_elem_user_get(struct snd_kcontrol *kcontrol,
 static int snd_ctl_elem_user_put(struct snd_kcontrol *kcontrol,
 				 struct snd_ctl_elem_value *ucontrol)
 {
-	int change;
+	int err, change;
 	struct user_element *ue = kcontrol->private_data;
 	unsigned int size = ue->elem_data_size;
 	char *dst = ue->elem_data +
 			snd_ctl_get_ioff(kcontrol, &ucontrol->id) * size;
 
+	err = sanity_check_input_values(ue->card, ucontrol, &ue->info, false);
+	if (err < 0)
+		return err;
+
 	change = memcmp(&ucontrol->value, dst, size) != 0;
 	if (change)
 		memcpy(dst, &ucontrol->value, size);

On Sat, Jun 15, 2024 at 01:37:09PM +0200, Takashi Iwai wrote:
> From: Takashi Iwai <tiwai@suse.de>
> Subject: [PATCH v3] ALSA: control: Apply sanity check of input values for user elements
> 
> Although we have already a mechanism for sanity checks of input values
> for control writes, it's not applied unless the kconfig
> CONFIG_SND_CTL_INPUT_VALIDATION is set due to the performance reason.
> Nevertheless, it still makes sense to apply the same check for user
> elements despite of its cost, as that's the only way to filter out the
> invalid values; the user controls are handled solely in ALSA core
> code, and there is no corresponding driver, after all.
> 
> This patch adds the same input value validation for user control
> elements at its put callback.  The kselftest will be happier with this
> change, as the incorrect values will be bailed out now with errors.
> 
> For other normal controls, the check is applied still only when
> CONFIG_SND_CTL_INPUT_VALIDATION is set.
> 
> Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
> Closes: https://lore.kernel.org/r/1d44be36-9bb9-4d82-8953-5ae2a4f09405@molgen.mpg.de
> Reviewed-by: Jaroslav Kysela <perex@perex.cz>
> Reviewed-by: Mark Brown <broonie@kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  sound/core/control.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>


Thanks

Takashi Sakamoto