From patchwork Thu Sep 17 10:56:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kai Vehmanen X-Patchwork-Id: 250998 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82097C43461 for ; Thu, 17 Sep 2020 11:03:26 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CF7882074B for ; Thu, 17 Sep 2020 11:03:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=alsa-project.org header.i=@alsa-project.org header.b="X0yZMUv0" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CF7882074B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=alsa-devel-bounces@alsa-project.org Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 46D3E168C; Thu, 17 Sep 2020 13:02:34 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 46D3E168C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1600340604; bh=LnSlwJ4/PVuAwgycsfTe0sGs5HHPy8fg3SoOapHTVQU=; h=From:To:Subject:Date:In-Reply-To:References:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=X0yZMUv03KDhZCgZxaKr5FOeXr5j03rCs2vrj83hhdpPwY0alYBVEduYg2+zVSp4H 66K7JLwjFKwHxkHuivIV0kHjXsvyQ10JXsc39PRPbZBoCA5ayqwYypqPGPNQbfGQxt wRIe0wjLLA92tgmkRA99MgAf3VaJN5IRBdb92KwI= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id 1A8EBF80304; Thu, 17 Sep 2020 12:58:29 +0200 (CEST) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 0656FF802FB; Thu, 17 Sep 2020 12:58:25 +0200 (CEST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id 763D6F802D2 for ; Thu, 17 Sep 2020 12:58:18 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 763D6F802D2 IronPort-SDR: dIoxEo9AGgW39FpZPoyhZIXuVA8BgcGT8VV1SU2CkJ9WLlxBymYzCN/LjlcB3K4XJMdG6+ApWD f/Xs1MuOsPvQ== X-IronPort-AV: E=McAfee;i="6000,8403,9746"; a="157075366" X-IronPort-AV: E=Sophos;i="5.76,436,1592895600"; d="scan'208";a="157075366" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Sep 2020 03:58:18 -0700 IronPort-SDR: o/YKCAJ9ylE9zO2YyEvLh6x4y2Xa3cis7akpj2I7ReL6EjYHUq7ZybAlhyiTPl/A44K5AVxFxa Lmop1DzVymKw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,436,1592895600"; d="scan'208";a="320177360" Received: from eliteleevi.tm.intel.com ([10.237.54.20]) by orsmga002.jf.intel.com with ESMTP; 17 Sep 2020 03:58:15 -0700 From: Kai Vehmanen To: alsa-devel@alsa-project.org, broonie@kernel.org Subject: [PATCH 7/8] ASoC: SOF: fix range checks Date: Thu, 17 Sep 2020 13:56:32 +0300 Message-Id: <20200917105633.2579047-8-kai.vehmanen@linux.intel.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200917105633.2579047-1-kai.vehmanen@linux.intel.com> References: <20200917105633.2579047-1-kai.vehmanen@linux.intel.com> MIME-Version: 1.0 Cc: Guennadi Liakhovetski , kai.vehmanen@linux.intel.com, lgirdwood@gmail.com, pierre-louis.bossart@linux.intel.com, ranjani.sridharan@linux.intel.com, daniel.baluta@nxp.com X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" From: Guennadi Liakhovetski On multiple locations checks are performed of untrusted values after adding a constant to them. This is wrong, because the addition might overflow and the result can then pass the check, although the original value is invalid. Fix multiple such issues by checking the actual value and not a sum of it and a constant. Signed-off-by: Guennadi Liakhovetski Reviewed-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Signed-off-by: Kai Vehmanen --- sound/soc/sof/control.c | 38 ++++++++++++++++++++++---------------- sound/soc/sof/topology.c | 20 +++++++++++++------- 2 files changed, 35 insertions(+), 23 deletions(-) diff --git a/sound/soc/sof/control.c b/sound/soc/sof/control.c index 63ead9ebc4c6..58f8c998e6af 100644 --- a/sound/soc/sof/control.c +++ b/sound/soc/sof/control.c @@ -229,14 +229,16 @@ int snd_sof_bytes_get(struct snd_kcontrol *kcontrol, return -EINVAL; } - size = data->size + sizeof(*data); - if (size > be->max) { + /* be->max has been verified to be >= sizeof(struct sof_abi_hdr) */ + if (data->size > be->max - sizeof(*data)) { dev_err_ratelimited(scomp->dev, - "error: DSP sent %zu bytes max is %d\n", - size, be->max); + "error: %u bytes of control data is invalid, max is %zu\n", + data->size, be->max - sizeof(*data)); return -EINVAL; } + size = data->size + sizeof(*data); + /* copy back to kcontrol */ memcpy(ucontrol->value.bytes.data, data, size); @@ -252,7 +254,7 @@ int snd_sof_bytes_put(struct snd_kcontrol *kcontrol, struct snd_soc_component *scomp = scontrol->scomp; struct sof_ipc_ctrl_data *cdata = scontrol->control_data; struct sof_abi_hdr *data = cdata->data; - size_t size = data->size + sizeof(*data); + size_t size; if (be->max > sizeof(ucontrol->value.bytes.data)) { dev_err_ratelimited(scomp->dev, @@ -261,13 +263,16 @@ int snd_sof_bytes_put(struct snd_kcontrol *kcontrol, return -EINVAL; } - if (size > be->max) { + /* be->max has been verified to be >= sizeof(struct sof_abi_hdr) */ + if (data->size > be->max - sizeof(*data)) { dev_err_ratelimited(scomp->dev, - "error: size too big %zu bytes max is %d\n", - size, be->max); + "error: data size too big %u bytes max is %zu\n", + data->size, be->max - sizeof(*data)); return -EINVAL; } + size = data->size + sizeof(*data); + /* copy from kcontrol */ memcpy(data, ucontrol->value.bytes.data, size); @@ -334,7 +339,8 @@ int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol, return -EINVAL; } - if (cdata->data->size + sizeof(const struct sof_abi_hdr) > be->max) { + /* be->max has been verified to be >= sizeof(struct sof_abi_hdr) */ + if (cdata->data->size > be->max - sizeof(const struct sof_abi_hdr)) { dev_err_ratelimited(scomp->dev, "error: Mismatch in ABI data size (truncated?).\n"); return -EINVAL; } @@ -420,7 +426,7 @@ int snd_sof_bytes_ext_get(struct snd_kcontrol *kcontrol, struct snd_ctl_tlv header; struct snd_ctl_tlv __user *tlvd = (struct snd_ctl_tlv __user *)binary_data; - int data_size; + size_t data_size; /* * Decrement the limit by ext bytes header size to @@ -432,16 +438,16 @@ int snd_sof_bytes_ext_get(struct snd_kcontrol *kcontrol, cdata->data->magic = SOF_ABI_MAGIC; cdata->data->abi = SOF_ABI_VERSION; - /* Prevent read of other kernel data or possibly corrupt response */ - data_size = cdata->data->size + sizeof(const struct sof_abi_hdr); - /* check data size doesn't exceed max coming from topology */ - if (data_size > be->max) { - dev_err_ratelimited(scomp->dev, "error: user data size %d exceeds max size %d.\n", - data_size, be->max); + if (cdata->data->size > be->max - sizeof(const struct sof_abi_hdr)) { + dev_err_ratelimited(scomp->dev, "error: user data size %d exceeds max size %zu.\n", + cdata->data->size, + be->max - sizeof(const struct sof_abi_hdr)); return -EINVAL; } + data_size = cdata->data->size + sizeof(const struct sof_abi_hdr); + header.numid = scontrol->cmd; header.length = data_size; if (copy_to_user(tlvd, &header, sizeof(const struct snd_ctl_tlv))) diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c index fa85a22b5880..eaa1122d5a68 100644 --- a/sound/soc/sof/topology.c +++ b/sound/soc/sof/topology.c @@ -1150,20 +1150,26 @@ static int sof_control_load_bytes(struct snd_soc_component *scomp, struct snd_soc_tplg_bytes_control *control = container_of(hdr, struct snd_soc_tplg_bytes_control, hdr); struct soc_bytes_ext *sbe = (struct soc_bytes_ext *)kc->private_value; - int max_size = sbe->max; + size_t max_size = sbe->max; + size_t priv_size = le32_to_cpu(control->priv.size); int ret; - /* init the get/put bytes data */ - scontrol->size = sizeof(struct sof_ipc_ctrl_data) + - le32_to_cpu(control->priv.size); + if (max_size < sizeof(struct sof_ipc_ctrl_data) || + max_size < sizeof(struct sof_abi_hdr)) { + ret = -EINVAL; + goto out; + } - if (scontrol->size > max_size) { - dev_err(scomp->dev, "err: bytes data size %d exceeds max %d.\n", - scontrol->size, max_size); + /* init the get/put bytes data */ + if (priv_size > max_size - sizeof(struct sof_ipc_ctrl_data)) { + dev_err(scomp->dev, "err: bytes data size %zu exceeds max %zu.\n", + priv_size, max_size - sizeof(struct sof_ipc_ctrl_data)); ret = -EINVAL; goto out; } + scontrol->size = sizeof(struct sof_ipc_ctrl_data) + priv_size; + scontrol->control_data = kzalloc(max_size, GFP_KERNEL); cdata = scontrol->control_data; if (!scontrol->control_data) {