Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Péter Ujfalusi" <peter.ujfalusi@linux.intel.com>
To: "Cássio Gabriel" <cassiogabrielcontato@gmail.com>,
	"Liam Girdwood" <lgirdwood@gmail.com>,
	"Bard Liao" <yung-chuan.liao@linux.intel.com>,
	"Daniel Baluta" <daniel.baluta@nxp.com>,
	"Kai Vehmanen" <kai.vehmanen@linux.intel.com>,
	"Pierre-Louis Bossart" <pierre-louis.bossart@linux.dev>,
	"Mark Brown" <broonie@kernel.org>,
	"Takashi Iwai" <tiwai@suse.com>,
	"Jaroslav Kysela" <perex@perex.cz>
Cc: sound-open-firmware@alsa-project.org,
	linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org,
	notify@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing
Date: Wed, 10 Jun 2026 19:03:27 +0300	[thread overview]
Message-ID: <fcf37969-2641-4480-a4cf-3eaf37b7d3b9@linux.intel.com> (raw)
In-Reply-To: <20260603-sof-topology-array-size-signed-v1-1-84f97879a4ef@gmail.com>



On 03/06/2026 20:57, Cássio Gabriel wrote:
> sof_parse_token_sets() reads array->size while iterating over topology
> private data. The loop condition only checks that some data remains, so a
> malformed topology with a truncated trailing vendor array can make the
> parser read the size field before a full vendor-array header is available.
> 
> Validate that the remaining private data contains a complete
> snd_soc_tplg_vendor_array header before reading array->size.
> 
> The declared array size check also needs to remain signed. asize is an int,
> but sizeof(*array) has type size_t, so comparing them directly promotes
> negative asize values to unsigned and lets them pass the check,
> as reported in the stable review thread reference below.
> 
> Cast sizeof(*array) to int when validating the declared array size. This
> rejects negative, zero and otherwise too-small sizes before the parser
> dispatches to the tuple-specific code.
> 
> Link: https://lore.kernel.org/stable/CANiDSCsjR5NHqu_Ui5cOqWdJgFqmYsQ9WR8O7m0WOhngaYXFpw@mail.gmail.com/t/#m9b3be379221e79327cc13fd71009287368ef4f23
> Fixes: 215e5fe75881 ("ASoC: SOF: topology: reject invalid vendor array size in token parser")
> Cc: stable@vger.kernel.org
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ---
>  sound/soc/sof/topology.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
> index 8fc7726aec29..bb6b981e55d1 100644
> --- a/sound/soc/sof/topology.c
> +++ b/sound/soc/sof/topology.c
> @@ -740,10 +740,13 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
>  	int ret;
>  
>  	while (array_size > 0 && total < count * token_instance_num) {
> +		if (array_size < (int)sizeof(*array))
> +			return -EINVAL;
> +
>  		asize = le32_to_cpu(array->size);
>  
>  		/* validate asize */
> -		if (asize < sizeof(*array)) {
> +		if (asize < (int)sizeof(*array)) {
>  			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
>  				asize);
>  			return -EINVAL;

I think this only partially right, I would cover a bit more:

diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 898b94f88706..b0d37ec2bc5e 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -12,6 +12,7 @@
 #include <linux/device.h>
 #include <linux/errno.h>
 #include <linux/firmware.h>
+#include <linux/overflow.h>
 #include <linux/workqueue.h>
 #include <sound/tlv.h>
 #include <uapi/sound/sof/tokens.h>
@@ -738,27 +739,43 @@ static int sof_parse_token_sets(struct snd_soc_component *scomp,
 	size_t offset = 0;
 	int found = 0;
 	int total = 0;
+	int max_tokens;
 	int asize;
 	int ret;
 
-	while (array_size > 0 && total < count * token_instance_num) {
+	if (check_mul_overflow(count, token_instance_num, &max_tokens)) {
+		dev_err(scomp->dev, "%s: token count overflow %d * %d\n",
+			__func__, count, token_instance_num);
+		return -EINVAL;
+	}
+
+	while (array_size > 0 && total < max_tokens) {
+		if (array_size < (int)sizeof(*array)) {
+			dev_err(scomp->dev,
+				"%s: invalid remaining array size %d\n",
+				__func__, array_size);
+			return -EINVAL;
+		}
+
 		asize = le32_to_cpu(array->size);
 
 		/* validate asize */
-		if (asize < sizeof(*array)) {
-			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
-				asize);
+		if (asize < (int)sizeof(*array)) {
+			dev_err(scomp->dev, "%s: vendor array too small %d\n",
+				__func__, asize);
 			return -EINVAL;
 		}
 
 		/* make sure there is enough data before parsing */
-		array_size -= asize;
-		if (array_size < 0) {
-			dev_err(scomp->dev, "error: invalid array size 0x%x\n",
-				asize);
+		if (asize > array_size) {
+			dev_err(scomp->dev,
+				"%s: vendor array size %d exceeds remaining data\n",
+				__func__, asize);
 			return -EINVAL;
 		}
 
+		array_size -= asize;
+
 		/* call correct parser depending on type */
 		switch (le32_to_cpu(array->type)) {
 		case SND_SOC_TPLG_TUPLE_TYPE_UUID:

> 
> ---
> base-commit: bb451bc01ea42c9e47557638400708e20df34178
> change-id: 20260530-sof-topology-array-size-signed-06abdacb1cdc
> 
> Best regards,
> --  
> Cássio Gabriel <cassiogabrielcontato@gmail.com>
> 

-- 
Péter

next prev parent reply	other threads:[~2026-06-10 16:03 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-03 17:57 [PATCH] ASoC: SOF: topology: validate vendor array size before parsing Cássio Gabriel
2026-06-10 11:06 ` Mark Brown
2026-06-10 14:27 ` Cássio Gabriel Monteiro Pires
2026-06-10 15:22   ` Mark Brown
2026-06-10 15:35     ` Cássio Gabriel Monteiro Pires
2026-06-10 16:03 ` Péter Ujfalusi [this message]
2026-06-10 17:03   ` Cássio Gabriel Monteiro Pires

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:898b94f8870 dfblob:b0d37ec2bc5 )
 OR (
bs:"Re: [PATCH] ASoC: SOF: topology: validate vendor array size before parsing" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fcf37969-2641-4480-a4cf-3eaf37b7d3b9@linux.intel.com \
    --to=peter.ujfalusi@linux.intel.com \
    --cc=broonie@kernel.org \
    --cc=cassiogabrielcontato@gmail.com \
    --cc=daniel.baluta@nxp.com \
    --cc=kai.vehmanen@linux.intel.com \
    --cc=lgirdwood@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sound@vger.kernel.org \
    --cc=notify@kernel.org \
    --cc=perex@perex.cz \
    --cc=pierre-louis.bossart@linux.dev \
    --cc=sound-open-firmware@alsa-project.org \
    --cc=stable@vger.kernel.org \
    --cc=tiwai@suse.com \
    --cc=yung-chuan.liao@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.