From: "Cássio Gabriel Monteiro Pires" <cassiogabrielcontato@gmail.com>
To: "Péter Ujfalusi" <peter.ujfalusi@linux.intel.com>,
"Liam Girdwood" <lgirdwood@gmail.com>,
"Bard Liao" <yung-chuan.liao@linux.intel.com>,
"Daniel Baluta" <daniel.baluta@nxp.com>,
"Kai Vehmanen" <kai.vehmanen@linux.intel.com>,
"Pierre-Louis Bossart" <pierre-louis.bossart@linux.dev>,
"Mark Brown" <broonie@kernel.org>,
"Takashi Iwai" <tiwai@suse.com>,
"Jaroslav Kysela" <perex@perex.cz>
Cc: sound-open-firmware@alsa-project.org,
linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
notify@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing
Date: Wed, 10 Jun 2026 14:03:25 -0300 [thread overview]
Message-ID: <953cdb8f-abc2-4420-b718-ff918ee84808@gmail.com> (raw)
In-Reply-To: <fcf37969-2641-4480-a4cf-3eaf37b7d3b9@linux.intel.com>
[-- Attachment #1.1: Type: text/plain, Size: 2951 bytes --]
On 6/10/26 13:03, Péter Ujfalusi wrote:
>> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
>> index 8fc7726aec29..bb6b981e55d1 100644
>> --- a/sound/soc/sof/topology.c
>> +++ b/sound/soc/sof/topology.c
>> @@ -740,10 +740,13 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
>> int ret;
>>
>> while (array_size > 0 && total < count * token_instance_num) {
>> + if (array_size < (int)sizeof(*array))
>> + return -EINVAL;
>> +
>> asize = le32_to_cpu(array->size);
>>
>> /* validate asize */
>> - if (asize < sizeof(*array)) {
>> + if (asize < (int)sizeof(*array)) {
>> dev_err(scomp->dev, "error: invalid array size 0x%x\n",
>> asize);
>> return -EINVAL;
>
> I think this only partially right, I would cover a bit more:
>
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 898b94f88706..b0d37ec2bc5e 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -12,6 +12,7 @@
> #include <linux/device.h>
> #include <linux/errno.h>
> #include <linux/firmware.h>
> +#include <linux/overflow.h>
> #include <linux/workqueue.h>
> #include <sound/tlv.h>
> #include <uapi/sound/sof/tokens.h>
> @@ -738,27 +739,43 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
> size_t offset = 0;
> int found = 0;
> int total = 0;
> + int max_tokens;
> int asize;
> int ret;
>
> - while (array_size > 0 && total < count * token_instance_num) {
> + if (check_mul_overflow(count, token_instance_num, &max_tokens)) {
> + dev_err(scomp->dev, "%s: token count overflow %d * %d\n",
> + __func__, count, token_instance_num);
> + return -EINVAL;
> + }
> +
> + while (array_size > 0 && total < max_tokens) {
> + if (array_size < (int)sizeof(*array)) {
> + dev_err(scomp->dev,
> + "%s: invalid remaining array size %d\n",
> + __func__, array_size);
> + return -EINVAL;
> + }
> +
> asize = le32_to_cpu(array->size);
>
> /* validate asize */
> - if (asize < sizeof(*array)) {
> - dev_err(scomp->dev, "error: invalid array size 0x%x\n",
> - asize);
> + if (asize < (int)sizeof(*array)) {
> + dev_err(scomp->dev, "%s: vendor array too small %d\n",
> + __func__, asize);
> return -EINVAL;
> }
>
> /* make sure there is enough data before parsing */
> - array_size -= asize;
> - if (array_size < 0) {
> - dev_err(scomp->dev, "error: invalid array size 0x%x\n",
> - asize);
> + if (asize > array_size) {
> + dev_err(scomp->dev,
> + "%s: vendor array size %d exceeds remaining data\n",
> + __func__, asize);
> return -EINVAL;
> }
>
> + array_size -= asize;
> +
> /* call correct parser depending on type */
> switch (le32_to_cpu(array->type)) {
> case SND_SOC_TPLG_TUPLE_TYPE_UUID:
>
Thank you, this is way more complete.
I will respin a v2.
--
Thanks,
Cássio
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]
prev parent reply other threads:[~2026-06-10 17:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 17:57 [PATCH] ASoC: SOF: topology: validate vendor array size before parsing Cássio Gabriel
2026-06-10 11:06 ` Mark Brown
2026-06-10 14:27 ` Cássio Gabriel Monteiro Pires
2026-06-10 15:22 ` Mark Brown
2026-06-10 15:35 ` Cássio Gabriel Monteiro Pires
2026-06-10 16:03 ` Péter Ujfalusi
2026-06-10 17:03 ` Cássio Gabriel Monteiro Pires [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=953cdb8f-abc2-4420-b718-ff918ee84808@gmail.com \
--to=cassiogabrielcontato@gmail.com \
--cc=broonie@kernel.org \
--cc=daniel.baluta@nxp.com \
--cc=kai.vehmanen@linux.intel.com \
--cc=lgirdwood@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=notify@kernel.org \
--cc=perex@perex.cz \
--cc=peter.ujfalusi@linux.intel.com \
--cc=pierre-louis.bossart@linux.dev \
--cc=sound-open-firmware@alsa-project.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=yung-chuan.liao@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.