From: "Péter Ujfalusi" <peter.ujfalusi@linux.intel.com>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Cc: alsa-devel@alsa-project.org,
Kai Vehmanen <kai.vehmanen@linux.intel.com>,
Daniel Baluta <daniel.baluta@nxp.com>,
kernel-janitors@vger.kernel.org, Takashi Iwai <tiwai@suse.com>,
Liam Girdwood <lgirdwood@gmail.com>,
Mark Brown <broonie@kernel.org>,
Ranjani Sridharan <ranjani.sridharan@linux.intel.com>,
Bard Liao <yung-chuan.liao@linux.intel.com>,
sound-open-firmware@alsa-project.org
Subject: Re: [PATCH] ASoC: SOF: ipc-msg-injector: fix copy in sof_msg_inject_ipc4_dfs_write()
Date: Wed, 6 Jul 2022 11:55:33 +0300 [thread overview]
Message-ID: <4cf393e1-00f6-2b5b-a5f5-9f555fdeafdc@linux.intel.com> (raw)
In-Reply-To: <YsUzQPyZYMkhN/Q9@kili>
On 06/07/2022 10:01, Dan Carpenter wrote:
> The bug here is that when we copy the payload the value of *ppos should
> be zero but it is sizeof(ipc4_msg->header_u64) instead. That means that
> the buffer will be copied to the wrong location within the
> ipc4_msg->data_ptr buffer.
>
> Really, in this context, it is simpler and more appropriate to use
> copy_from_user() instead of simple_write_to_buffer() so I have
> re-written the function.
>
> Fixes: 066c67624d8c ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> From static analysis. Not tested. I believe this function is mostly
> used to write random junk to the device and see what breaks. So
> probably it works fine as-is.
>
> sound/soc/sof/sof-client-ipc-msg-injector.c | 27 ++++++++-------------
> 1 file changed, 10 insertions(+), 17 deletions(-)
>
> diff --git a/sound/soc/sof/sof-client-ipc-msg-injector.c b/sound/soc/sof/sof-client-ipc-msg-injector.c
> index 6bdfa527b7f7..e8ab173e95b5 100644
> --- a/sound/soc/sof/sof-client-ipc-msg-injector.c
> +++ b/sound/soc/sof/sof-client-ipc-msg-injector.c
> @@ -181,7 +181,7 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file,
> struct sof_client_dev *cdev = file->private_data;
> struct sof_msg_inject_priv *priv = cdev->data;
> struct sof_ipc4_msg *ipc4_msg = priv->tx_buffer;
> - ssize_t size;
> + size_t data_size;
> int ret;
>
> if (*ppos)
> @@ -191,25 +191,18 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file,
> return -EINVAL;
>
> /* copy the header first */
> - size = simple_write_to_buffer(&ipc4_msg->header_u64,
> - sizeof(ipc4_msg->header_u64),
> - ppos, buffer, count);
> - if (size < 0)
> - return size;
> - if (size != sizeof(ipc4_msg->header_u64))
> + if (copy_from_user(&ipc4_msg->header_u64, buffer,
> + sizeof(ipc4_msg->header_u64)))
> return -EFAULT;
>
> - count -= size;
> + data_size = count - sizeof(ipc4_msg->header_u64);
> + if (data_size > priv->max_msg_size)
> + return -EINVAL;
> /* Copy the payload */
> - size = simple_write_to_buffer(ipc4_msg->data_ptr,
> - priv->max_msg_size, ppos, buffer,
> - count);
> - if (size < 0)
> - return size;
> - if (size != count)
> + if (copy_from_user(ipc4_msg->data_ptr, buffer, data_size))
I think this is still needs an update:
if (copy_from_user(ipc4_msg->data_ptr,
buffer + sizeof(ipc4_msg->header_u64), data_size))
To skip the already copied header.
Or without a rewrite the fix would be simple as:
/* Copy the payload */
size = simple_write_to_buffer(ipc4_msg->data_ptr, 0,
buffer + sizeof(ipc4_msg->header_u64), data_size),
count);
> return -EFAULT;
>
> - ipc4_msg->data_size = count;
> + ipc4_msg->data_size = data_size;
>
> /* Initialize the reply storage */
> ipc4_msg = priv->rx_buffer;
> @@ -221,9 +214,9 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file,
>
> /* return the error code if test failed */
> if (ret < 0)
> - size = ret;
> + count = ret;
>
> - return size;
> + return count;
> };
>
> static int sof_msg_inject_dfs_release(struct inode *inode, struct file *file)
--
Péter
WARNING: multiple messages have this Message-ID (diff)
From: "Péter Ujfalusi" <peter.ujfalusi@linux.intel.com>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Cc: alsa-devel@alsa-project.org,
Kai Vehmanen <kai.vehmanen@linux.intel.com>,
kernel-janitors@vger.kernel.org,
Bard Liao <yung-chuan.liao@linux.intel.com>,
Takashi Iwai <tiwai@suse.com>,
Liam Girdwood <lgirdwood@gmail.com>,
Ranjani Sridharan <ranjani.sridharan@linux.intel.com>,
Mark Brown <broonie@kernel.org>,
Daniel Baluta <daniel.baluta@nxp.com>,
sound-open-firmware@alsa-project.org
Subject: Re: [PATCH] ASoC: SOF: ipc-msg-injector: fix copy in sof_msg_inject_ipc4_dfs_write()
Date: Wed, 6 Jul 2022 11:55:33 +0300 [thread overview]
Message-ID: <4cf393e1-00f6-2b5b-a5f5-9f555fdeafdc@linux.intel.com> (raw)
In-Reply-To: <YsUzQPyZYMkhN/Q9@kili>
On 06/07/2022 10:01, Dan Carpenter wrote:
> The bug here is that when we copy the payload the value of *ppos should
> be zero but it is sizeof(ipc4_msg->header_u64) instead. That means that
> the buffer will be copied to the wrong location within the
> ipc4_msg->data_ptr buffer.
>
> Really, in this context, it is simpler and more appropriate to use
> copy_from_user() instead of simple_write_to_buffer() so I have
> re-written the function.
>
> Fixes: 066c67624d8c ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> From static analysis. Not tested. I believe this function is mostly
> used to write random junk to the device and see what breaks. So
> probably it works fine as-is.
>
> sound/soc/sof/sof-client-ipc-msg-injector.c | 27 ++++++++-------------
> 1 file changed, 10 insertions(+), 17 deletions(-)
>
> diff --git a/sound/soc/sof/sof-client-ipc-msg-injector.c b/sound/soc/sof/sof-client-ipc-msg-injector.c
> index 6bdfa527b7f7..e8ab173e95b5 100644
> --- a/sound/soc/sof/sof-client-ipc-msg-injector.c
> +++ b/sound/soc/sof/sof-client-ipc-msg-injector.c
> @@ -181,7 +181,7 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file,
> struct sof_client_dev *cdev = file->private_data;
> struct sof_msg_inject_priv *priv = cdev->data;
> struct sof_ipc4_msg *ipc4_msg = priv->tx_buffer;
> - ssize_t size;
> + size_t data_size;
> int ret;
>
> if (*ppos)
> @@ -191,25 +191,18 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file,
> return -EINVAL;
>
> /* copy the header first */
> - size = simple_write_to_buffer(&ipc4_msg->header_u64,
> - sizeof(ipc4_msg->header_u64),
> - ppos, buffer, count);
> - if (size < 0)
> - return size;
> - if (size != sizeof(ipc4_msg->header_u64))
> + if (copy_from_user(&ipc4_msg->header_u64, buffer,
> + sizeof(ipc4_msg->header_u64)))
> return -EFAULT;
>
> - count -= size;
> + data_size = count - sizeof(ipc4_msg->header_u64);
> + if (data_size > priv->max_msg_size)
> + return -EINVAL;
> /* Copy the payload */
> - size = simple_write_to_buffer(ipc4_msg->data_ptr,
> - priv->max_msg_size, ppos, buffer,
> - count);
> - if (size < 0)
> - return size;
> - if (size != count)
> + if (copy_from_user(ipc4_msg->data_ptr, buffer, data_size))
I think this is still needs an update:
if (copy_from_user(ipc4_msg->data_ptr,
buffer + sizeof(ipc4_msg->header_u64), data_size))
To skip the already copied header.
Or without a rewrite the fix would be simple as:
/* Copy the payload */
size = simple_write_to_buffer(ipc4_msg->data_ptr, 0,
buffer + sizeof(ipc4_msg->header_u64), data_size),
count);
> return -EFAULT;
>
> - ipc4_msg->data_size = count;
> + ipc4_msg->data_size = data_size;
>
> /* Initialize the reply storage */
> ipc4_msg = priv->rx_buffer;
> @@ -221,9 +214,9 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file,
>
> /* return the error code if test failed */
> if (ret < 0)
> - size = ret;
> + count = ret;
>
> - return size;
> + return count;
> };
>
> static int sof_msg_inject_dfs_release(struct inode *inode, struct file *file)
--
Péter
next prev parent reply other threads:[~2022-07-06 8:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-06 7:01 [PATCH] ASoC: SOF: ipc-msg-injector: fix copy in sof_msg_inject_ipc4_dfs_write() Dan Carpenter
2022-07-06 7:01 ` Dan Carpenter
2022-07-06 8:55 ` Péter Ujfalusi [this message]
2022-07-06 8:55 ` Péter Ujfalusi
2022-07-06 10:16 ` Dan Carpenter
2022-07-06 10:16 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4cf393e1-00f6-2b5b-a5f5-9f555fdeafdc@linux.intel.com \
--to=peter.ujfalusi@linux.intel.com \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=daniel.baluta@nxp.com \
--cc=kai.vehmanen@linux.intel.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=lgirdwood@gmail.com \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=ranjani.sridharan@linux.intel.com \
--cc=sound-open-firmware@alsa-project.org \
--cc=tiwai@suse.com \
--cc=yung-chuan.liao@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.