Re: [PATCH] ASoC: topology: fix stack corruption by code unification for creating standalone and widget controls

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Amadeusz Sławiński" <amadeuszx.slawinski@linux.intel.com>
To: "H. Nikolaus Schaller" <hns@goldelico.com>,
	Liam Girdwood <lgirdwood@gmail.com>,
	Mark Brown <broonie@kernel.org>, Jaroslav Kysela <perex@perex.cz>,
	Takashi Iwai <tiwai@suse.com>
Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
	letux-kernel@openphoenux.org, kernel@pyra-handheld.com,
	risca@dalakolonin.se
Subject: Re: [PATCH] ASoC: topology: fix stack corruption by code unification for creating standalone and widget controls
Date: Mon, 23 Sep 2024 09:39:17 +0200	[thread overview]
Message-ID: <3ceac85f-e419-44b1-b04b-1d1cf99a3e87@linux.intel.com> (raw)
In-Reply-To: <7eca678fa7faa9e160b998192e87220de81315c8.1726847965.git.hns@goldelico.com>

On 9/20/2024 5:59 PM, H. Nikolaus Schaller wrote:
> After finding kernel crashes on omap4/5 aess on PandaES and OMAP5UEVM like
> 
> [   46.367041] Unable to handle kernel execution of memory at virtual address f164d95c when execute
> 
> a bisect did initially hint at commit 8f2942b9198c9 ("ASoC: topology: Unify
> code for creating standalone and widget enum control")
> 
> Deeper analysis shows a bug in two of the three "ASoC: topology: Unify code"
> patches. There, a variable is initialized to point into the struct snd_kcontrol_new
> on stack instead of the newly devm_kzalloc'ed memory.
> 
> Hence, initialization through struct soc_mixer_control or struct soc_bytes_ext
> members overwrites stack instead of the intended target address, leading to
> the observed kernel crashes.
> 
> Fixes: 8f2942b9198c ("ASoC: topology: Unify code for creating standalone and widget enum control")
> Fixes: 4654ca7cc8d6 ("ASoC: topology: Unify code for creating standalone and widget mixer control").
> Fixes: 0867278200f7 ("ASoC: topology: Unify code for creating standalone and widget bytes control").
> Tested-by: risca@dalakolonin.se
> Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
> ---
> 

There was an earlier patch for same issue which got merged:
https://lore.kernel.org/linux-sound/172675955522.1842725.17347774552974803458.b4-ty@kernel.org/T/#m527c2b9bee99d40d7cd5224cb1d8046dd0528097

> Notes:
>      There seems to be another weakness of all three patches. The initialization
>      of the kc.private_value is now done after calling soc_tplg_control_load()
>      which may pass the incompletely initialized control down to some control_load()
>      operation (if tplg->ops are defined).
>      
>      Since this feature is not used by the omap4/5 aess subsystem drivers it is
>      not taken care of by this fix.
>      

dobj is internal management detail of topology handling, I'm not 
convinced end users of topology API should touch it. I would say that I 
would even be worried that someone touches that, as they may corrupt 
list etc.

>      Another general observation with this code (not related to these patches here)
>      is that it does not appear to be 64 bit address safe since private_value of
>      struct snd_kcontrol_new is 'unsigned long' [1] but used to store a pointer.
>      
>      This is fine on omap4/5 since they are 32 bit machines with 32 bit address
>      range. A problem would be a machine with 32 bit unsigned long and >32 bit
>      addresses.

As far as I know that's exactly the reason why it is unsigned long in 
kernel, you can store a pointer in it.

next prev parent reply	other threads:[~2024-09-23  7:39 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-20 15:59 [PATCH] ASoC: topology: fix stack corruption by code unification for creating standalone and widget controls H. Nikolaus Schaller
2024-09-23  7:39 ` Amadeusz Sławiński [this message]
2024-09-23  8:07   ` H. Nikolaus Schaller
2024-09-23 13:02     ` Mark Brown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3ceac85f-e419-44b1-b04b-1d1cf99a3e87@linux.intel.com \
    --to=amadeuszx.slawinski@linux.intel.com \
    --cc=broonie@kernel.org \
    --cc=hns@goldelico.com \
    --cc=kernel@pyra-handheld.com \
    --cc=letux-kernel@openphoenux.org \
    --cc=lgirdwood@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sound@vger.kernel.org \
    --cc=perex@perex.cz \
    --cc=risca@dalakolonin.se \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.