[PATCH] hda: add bounds checking for the codec command fields

[PATCH] hda: add bounds checking for the codec command fields

[Wu Fengguang]

A recent bug involves passing auto detected >0x7f NID to codec command,
creating an invalid codec addr field, and finally lead to cmd timeout
and fall back into single command mode. Jaroslav fixed that bug in
alc880_parse_auto_config().

It would be safer to further check the bounds of all cmd fields.

Cc: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
---
diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
index 462e2ce..7d09650 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -150,6 +150,16 @@ make_codec_cmd(struct hda_codec *codec, hda_nid_t nid, int direct,
 {
 	u32 val;
 
+	if ((direct & ~1) || (nid & ~0x7f) ||
+	    (verb & ~0xfff) || (parm & ~0xff)) {
+		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
+		       codec->addr, direct, nid, verb, parm);
+		direct &= 1;
+		nid  &= 0x7f;
+		verb &= 0xfff;
+		parm &= 0xff;
+	}
+
 	val = (u32)(codec->addr & 0x0f) << 28;
 	val |= (u32)direct << 27;
 	val |= (u32)nid << 20;

Re: [PATCH] hda: add bounds checking for the codec command fields

[Wu Fengguang]

On Fri, Jul 17, 2009 at 04:24:10PM +0800, Wu Fengguang wrote:
> A recent bug involves passing auto detected >0x7f NID to codec command,
> creating an invalid codec addr field, and finally lead to cmd timeout
> and fall back into single command mode. Jaroslav fixed that bug in
> alc880_parse_auto_config().
> 
> It would be safer to further check the bounds of all cmd fields.
> 
> Cc: Jaroslav Kysela <perex@perex.cz>
> Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
> ---
> diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
> index 462e2ce..7d09650 100644
> --- a/sound/pci/hda/hda_codec.c
> +++ b/sound/pci/hda/hda_codec.c
> @@ -150,6 +150,16 @@ make_codec_cmd(struct hda_codec *codec, hda_nid_t nid, int direct,
>  {
>  	u32 val;
>  
> +	if ((direct & ~1) || (nid & ~0x7f) ||
> +	    (verb & ~0xfff) || (parm & ~0xff)) {
> +		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
> +		       codec->addr, direct, nid, verb, parm);

Maybe we shall simply return here?

> +		direct &= 1;
> +		nid  &= 0x7f;
> +		verb &= 0xfff;
> +		parm &= 0xff;
> +	}
> +
>  	val = (u32)(codec->addr & 0x0f) << 28;
>  	val |= (u32)direct << 27;
>  	val |= (u32)nid << 20;

[PATCH] hda: add bounds checking for the codec command fields v2

[Wu Fengguang]

On Fri, Jul 17, 2009 at 04:27:03PM +0800, Wu Fengguang wrote:
> On Fri, Jul 17, 2009 at 04:24:10PM +0800, Wu Fengguang wrote:
> > A recent bug involves passing auto detected >0x7f NID to codec command,
> > creating an invalid codec addr field, and finally lead to cmd timeout
> > and fall back into single command mode. Jaroslav fixed that bug in
> > alc880_parse_auto_config().
> > 
> > It would be safer to further check the bounds of all cmd fields.
> > 
> > Cc: Jaroslav Kysela <perex@perex.cz>
> > Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
> > ---
> > diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
> > index 462e2ce..7d09650 100644
> > --- a/sound/pci/hda/hda_codec.c
> > +++ b/sound/pci/hda/hda_codec.c
> > @@ -150,6 +150,16 @@ make_codec_cmd(struct hda_codec *codec, hda_nid_t nid, int direct,
> >  {
> >  	u32 val;
> >  
> > +	if ((direct & ~1) || (nid & ~0x7f) ||
> > +	    (verb & ~0xfff) || (parm & ~0xff)) {
> > +		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
> > +		       codec->addr, direct, nid, verb, parm);
> 
> Maybe we shall simply return here?

Here it is :)

---
hda: add bounds checking for the codec command fields

A recent bug involves passing auto detected >0x7f NID to codec command,
creating an invalid codec addr field, and finally lead to cmd timeout
and fall back into single command mode. Jaroslav fixed that bug in
alc880_parse_auto_config().

It would be safer to further check the bounds of all cmd fields.

Cc: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
---
 sound/pci/hda/hda_codec.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- sound-2.6.orig/sound/pci/hda/hda_codec.c
+++ sound-2.6/sound/pci/hda/hda_codec.c
@@ -150,7 +150,14 @@ make_codec_cmd(struct hda_codec *codec, 
 {
 	u32 val;
 
-	val = (u32)(codec->addr & 0x0f) << 28;
+	if ((codec->addr & ~0xf) | (direct & ~1) | (nid & ~0x7f) |
+	    (verb & ~0xfff) | (parm & ~0xff)) {
+		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
+		       codec->addr, direct, nid, verb, parm);
+		return ~0;
+	}
+
+	val = (u32)codec->addr << 28;
 	val |= (u32)direct << 27;
 	val |= (u32)nid << 20;
 	val |= verb << 8;
@@ -167,6 +174,9 @@ static int codec_exec_verb(struct hda_co
 	struct hda_bus *bus = codec->bus;
 	int err;
 
+	if (cmd == ~0)
+		return -1;
+
 	if (res)
 		*res = -1;
  again:

Re: [PATCH] hda: add bounds checking for the codec command fields v2

[Takashi Iwai]

At Fri, 17 Jul 2009 16:49:19 +0800,
Wu Fengguang wrote:
> 
> On Fri, Jul 17, 2009 at 04:27:03PM +0800, Wu Fengguang wrote:
> > On Fri, Jul 17, 2009 at 04:24:10PM +0800, Wu Fengguang wrote:
> > > A recent bug involves passing auto detected >0x7f NID to codec command,
> > > creating an invalid codec addr field, and finally lead to cmd timeout
> > > and fall back into single command mode. Jaroslav fixed that bug in
> > > alc880_parse_auto_config().
> > > 
> > > It would be safer to further check the bounds of all cmd fields.
> > > 
> > > Cc: Jaroslav Kysela <perex@perex.cz>
> > > Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
> > > ---
> > > diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
> > > index 462e2ce..7d09650 100644
> > > --- a/sound/pci/hda/hda_codec.c
> > > +++ b/sound/pci/hda/hda_codec.c
> > > @@ -150,6 +150,16 @@ make_codec_cmd(struct hda_codec *codec, hda_nid_t nid, int direct,
> > >  {
> > >  	u32 val;
> > >  
> > > +	if ((direct & ~1) || (nid & ~0x7f) ||
> > > +	    (verb & ~0xfff) || (parm & ~0xff)) {
> > > +		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
> > > +		       codec->addr, direct, nid, verb, parm);
> > 
> > Maybe we shall simply return here?
> 
> Here it is :)
> 
> ---
> hda: add bounds checking for the codec command fields
> 
> A recent bug involves passing auto detected >0x7f NID to codec command,
> creating an invalid codec addr field, and finally lead to cmd timeout
> and fall back into single command mode. Jaroslav fixed that bug in
> alc880_parse_auto_config().
> 
> It would be safer to further check the bounds of all cmd fields.
> 
> Cc: Jaroslav Kysela <perex@perex.cz>
> Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>

Looks good.  Applied now.

Thanks!

Takashi


> ---
>  sound/pci/hda/hda_codec.c |   12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> --- sound-2.6.orig/sound/pci/hda/hda_codec.c
> +++ sound-2.6/sound/pci/hda/hda_codec.c
> @@ -150,7 +150,14 @@ make_codec_cmd(struct hda_codec *codec, 
>  {
>  	u32 val;
>  
> -	val = (u32)(codec->addr & 0x0f) << 28;
> +	if ((codec->addr & ~0xf) | (direct & ~1) | (nid & ~0x7f) |
> +	    (verb & ~0xfff) | (parm & ~0xff)) {
> +		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
> +		       codec->addr, direct, nid, verb, parm);
> +		return ~0;
> +	}
> +
> +	val = (u32)codec->addr << 28;
>  	val |= (u32)direct << 27;
>  	val |= (u32)nid << 20;
>  	val |= verb << 8;
> @@ -167,6 +174,9 @@ static int codec_exec_verb(struct hda_co
>  	struct hda_bus *bus = codec->bus;
>  	int err;
>  
> +	if (cmd == ~0)
> +		return -1;
> +
>  	if (res)
>  		*res = -1;
>   again:
> 

Re: [PATCH] hda: add bounds checking for the codec command fields v2

[Takashi Iwai]

At Fri, 17 Jul 2009 12:46:01 +0200,
I wrote:
> 
> At Fri, 17 Jul 2009 18:41:05 +0800,
> Guo, Chaohong wrote:
> > 
> > Although it does address this issue, I am not comfortable with this fixing. 
> > It seems more like a workaround than fix.
> 
> No, it's rather for catching a bug.  This is definitely neither
> "workaround" nor "fix".

BTW, I fixed the patch again as below.


Takashi

---
>From 82e1b804b03defe46fb69ffd2c8b19e6649bcb0d Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Fri, 17 Jul 2009 12:47:34 +0200
Subject: [PATCH] ALSA: hda - Fix the previous sanity check in make_codec_cmd()

The newly added sanity-check for a codec verb can be better written
with logical ORs.  Also, the parameter can be more than 8bit.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/pci/hda/hda_codec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
index d9d3262..35f0f22 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -150,8 +150,8 @@ make_codec_cmd(struct hda_codec *codec, hda_nid_t nid, int direct,
 {
 	u32 val;
 
-	if ((codec->addr & ~0xf) | (direct & ~1) | (nid & ~0x7f) |
-	    (verb & ~0xfff) | (parm & ~0xff)) {
+	if ((codec->addr & ~0xf) || (direct & ~1) || (nid & ~0x7f) ||
+	    (verb & ~0xfff) || (parm & ~0xffff)) {
 		printk(KERN_ERR "hda-codec: out of range cmd %x:%x:%x:%x:%x\n",
 		       codec->addr, direct, nid, verb, parm);
 		return ~0;
-- 
1.6.3.2

Re: [PATCH] hda: add bounds checking for the codec command fields v2

[Wu Fengguang]

On Fri, Jul 17, 2009 at 06:46:01PM +0800, Takashi Iwai wrote:
> At Fri, 17 Jul 2009 18:41:05 +0800,
> Guo, Chaohong wrote:
> > 
> > Although it does address this issue, I am not comfortable with this fixing. 
> > It seems more like a workaround than fix.
> 
> No, it's rather for catching a bug.  This is definitely neither
> "workaround" nor "fix".

Yes, I wrote this mainly for catching unknown bugs.

> >  Moreover, if long format node
> > ID is used in the future,  the code will cause little trouble for maintaining.
> 
> Well, the current code doesn't support the long id (as the restriction
> of HD-audio controller side), so we'd need major changes in anyway.
> Thus this check is no big issue for maintenance, at least to me :)

Does the HDA spec define cmd format that accept long form NID?
If so, can you point me to the specific location please? Thanks.

> > what I want is to fix it during parsing connection list, and verify the node
> > id is valid there .  
> 
> Heh, this was already fixed :)

AFAIK, snd_hda_get_connections() won't return NIDs bigger than
0x7f(short) or 0x7ffff(long).

Thanks,
Fengguang

Re: [PATCH] hda: add bounds checking for the codec command fields v2

[Wu Fengguang]

On Fri, Jul 17, 2009 at 06:53:24PM +0800, Takashi Iwai wrote:
> At Fri, 17 Jul 2009 12:46:01 +0200,
> I wrote:
> > 
> > At Fri, 17 Jul 2009 18:41:05 +0800,
> > Guo, Chaohong wrote:
> > > 
> > > Although it does address this issue, I am not comfortable with this fixing. 
> > > It seems more like a workaround than fix.
> > 
> > No, it's rather for catching a bug.  This is definitely neither
> > "workaround" nor "fix".
> 
> BTW, I fixed the patch again as below.
> 
> 
> Takashi
> 
> ---
> >From 82e1b804b03defe46fb69ffd2c8b19e6649bcb0d Mon Sep 17 00:00:00 2001
> From: Takashi Iwai <tiwai@suse.de>
> Date: Fri, 17 Jul 2009 12:47:34 +0200
> Subject: [PATCH] ALSA: hda - Fix the previous sanity check in make_codec_cmd()
> 
> The newly added sanity-check for a codec verb can be better written
> with logical ORs.  Also, the parameter can be more than 8bit.

Ah OK, thanks for the fix!

Thanks,
Fengguang

Re: [PATCH] hda: add bounds checking for the codec command fields v2

[Guo, Chaohong]

 

>Cc: Guo, Chaohong; alsa-devel@alsa-project.org; Jaroslav 
>Kysela; John Villalovos
>Subject: Re: [PATCH] hda: add bounds checking for the codec 
>command fields v2
>
>On Fri, Jul 17, 2009 at 06:46:01PM +0800, Takashi Iwai wrote:
>> At Fri, 17 Jul 2009 18:41:05 +0800,
>> Guo, Chaohong wrote:
>> > 
>> > Although it does address this issue, I am not comfortable 
>with this fixing. 
>> > It seems more like a workaround than fix.
>> 
>> No, it's rather for catching a bug.  This is definitely neither
>> "workaround" nor "fix".
>
>Yes, I wrote this mainly for catching unknown bugs.

Oh, I misunderstood your intention.  So, we still need to  investigate
the bug which occurs on RH i386 version  :)



>
>> >  Moreover, if long format node
>> > ID is used in the future,  the code will cause little 
>trouble for maintaining.
>> 
>> Well, the current code doesn't support the long id (as the 
>restriction
>> of HD-audio controller side), so we'd need major changes in anyway.
>> Thus this check is no big issue for maintenance, at least to me :)
>
>Does the HDA spec define cmd format that accept long form NID?
>If so, can you point me to the specific location please? Thanks.

No.  AFAIK,  HDA doesn't specifiy long NID verb yet,  I said "In the
feature".   but who knows why hardware vendors want to use long
NID in the future,  seems 128 is enough.


-minskey


>
>> > what I want is to fix it during parsing connection list, 
>and verify the node
>> > id is valid there .  
>> 
>> Heh, this was already fixed :)
>
>AFAIK, snd_hda_get_connections() won't return NIDs bigger than
>0x7f(short) or 0x7ffff(long).
>
>Thanks,
>Fengguang
>