From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
To: Takashi Iwai <tiwai@suse.de>
Cc: alsa-devel@alsa-project.org, broonie@kernel.org,
Bard Liao <yung-chuan.liao@linux.intel.com>,
Cezary Rojewski <cezary.rojewski@intel.com>,
Kai Vehmanen <kai.vehmanen@linux.intel.com>
Subject: Re: [PATCH 2/4] ALSA: hda: intel-nhlt: add intel_nhlt_ssp_mclk_mask()
Date: Tue, 23 Aug 2022 10:41:28 +0200 [thread overview]
Message-ID: <47d5c5d7-5aaf-c554-a943-6059b38d2dcd@linux.intel.com> (raw)
In-Reply-To: <87zgfvqs1p.wl-tiwai@suse.de>
Hi Takashi,
>> +#define SSP_BLOB_V1_0_SIZE 84
>> +#define SSP_BLOB_V1_0_MDIVC_OFFSET 19 /* offset in u32 */
>> +#define SSP_BLOB_V1_5_SIZE 96
>> +#define SSP_BLOB_V1_5_MDIVC_OFFSET 21 /* offset in u32 */
>
> This is 84 in bytes, which is equal with SSP_BLOB_V1_0_size.
> So...
>
>> + for (j = 0; j < fmt->fmt_count; j++) {
>> + u32 *blob;
>> + int mdivc_offset;
>> +
>> + if (cfg->config.size >= SSP_BLOB_V1_0_SIZE) {
>> + blob = (u32 *)cfg->config.caps;
>
> ... the size check is >= 84. If cfg->config.size==84, it may be an
> out-of-bound read at blob[SSP_BLOB_V1_5_MDIVC_OFFSET]?
>
> I don't think this would really matter in practice, but it's better to
> have a proper check, of course.
The check was intended to be a minimal check but you're right that it
doesn't cover the 1.5 case.
it might make more sense to first make sure we have enough space to read
the version and then check for an exact match between expected size and
actual size before reading the mdivc value.
Will fix, thanks for the feedback.
-Pierre
next prev parent reply other threads:[~2022-08-23 9:43 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-22 18:59 [PATCH 0/4] ASoC: SOF: Intel: override mclk_id for ES8336 support Pierre-Louis Bossart
2022-08-22 18:59 ` [PATCH 1/4] ASoC: SOF: add quirk to override topology mclk_id Pierre-Louis Bossart
2022-08-22 18:59 ` [PATCH 2/4] ALSA: hda: intel-nhlt: add intel_nhlt_ssp_mclk_mask() Pierre-Louis Bossart
2022-08-23 8:32 ` Takashi Iwai
2022-08-23 8:41 ` Pierre-Louis Bossart [this message]
2022-08-23 8:33 ` Amadeusz Sławiński
2022-08-23 8:52 ` Pierre-Louis Bossart
2022-08-23 14:55 ` Amadeusz Sławiński
2022-08-23 15:18 ` Pierre-Louis Bossart
2022-08-24 10:53 ` Amadeusz Sławiński
2022-08-24 11:17 ` Pierre-Louis Bossart
2022-08-22 18:59 ` [PATCH 3/4] ASoC: SOF: Intel: hda: override mclk_id after parsing NHLT SSP blob Pierre-Louis Bossart
2022-08-22 18:59 ` [PATCH 4/4] ASoC: SOF: Intel: hda: refine SSP count support Pierre-Louis Bossart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47d5c5d7-5aaf-c554-a943-6059b38d2dcd@linux.intel.com \
--to=pierre-louis.bossart@linux.intel.com \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=cezary.rojewski@intel.com \
--cc=kai.vehmanen@linux.intel.com \
--cc=tiwai@suse.de \
--cc=yung-chuan.liao@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.