mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 14:44:12 +00:00
Code Issues Releases Wiki Activity

ASoC: SOF: ipc-msg-injector: Cap the rmaining to count in IPC4 mode

Browse source 
If user space provides smaller buffer than the IPC4 reply then it is
possible that we corrupt user space memory since the IPC4 dfs_read function
is not using the count directly in copy_to_user() due to the nature of
an IPC4 message.

Cap the remaining counter to make sure that we are not writing too much to
the user space provided buffer.

Add a check also to make sure that the buffer is at least the size of the
IPC4 header.

Fixes: 066c67624d: "ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://lore.kernel.org/r/20220516092442.17027-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
This commit is contained in:
Peter Ujfalusi 2022-05-16 12:24:42 +03:00 committed by Mark Brown
parent dba2d5ae4c
commit c5003f08fe
No known key found for this signature in database
GPG key ID: 24D68B725D5487D0
1 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
sound/soc/sof/sof-client-ipc-msg-injector.c
View file

@ -76,12 +76,17 @@ static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file,
struct sof_client_dev *cdev = file->private_data;
struct sof_msg_inject_priv *priv = cdev->data;
struct sof_ipc4_msg *ipc4_msg = priv->rx_buffer;
size_t header_size = sizeof(ipc4_msg->header_u64);
size_t remaining;
if (!ipc4_msg->header_u64 || !count || *ppos)
return 0;
remaining = sizeof(ipc4_msg->header_u64);
/* we need space for the header at minimum (u64) */
if (count < header_size)
return -ENOSPC;
remaining = header_size;
/* Only get large config have payload */
if (SOF_IPC4_MSG_IS_MODULE_MSG(ipc4_msg->primary) &&
@ -90,13 +95,15 @@ static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file,
if (count > remaining)
count = remaining;
else if (count < remaining)
remaining = count;
/* copy the header first */
if (copy_to_user(buffer, &ipc4_msg->header_u64, sizeof(ipc4_msg->header_u64)))
if (copy_to_user(buffer, &ipc4_msg->header_u64, header_size))
return -EFAULT;
*ppos += sizeof(ipc4_msg->header_u64);
remaining -= sizeof(ipc4_msg->header_u64);
*ppos += header_size;
remaining -= header_size;
if (!remaining)
return count;