* [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
@ 2023-09-15 19:09 Gustavo A. R. Silva
2023-09-15 19:14 ` Kees Cook
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Gustavo A. R. Silva @ 2023-09-15 19:09 UTC (permalink / raw)
To: Pierre-Louis Bossart, Liam Girdwood, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Daniel Baluta, Kai Vehmanen, Mark Brown,
Jaroslav Kysela, Takashi Iwai
Cc: sound-open-firmware, alsa-devel, linux-kernel,
Gustavo A. R. Silva, linux-hardening
If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.
Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
sound/soc/sof/ipc4-topology.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c
index f2a30cd31378..2a19dd022aaf 100644
--- a/sound/soc/sof/ipc4-topology.c
+++ b/sound/soc/sof/ipc4-topology.c
@@ -895,7 +895,8 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget)
if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) {
struct sof_ipc4_base_module_cfg_ext *base_cfg_ext;
u32 ext_size = struct_size(base_cfg_ext, pin_formats,
- swidget->num_input_pins + swidget->num_output_pins);
+ size_add(swidget->num_input_pins,
+ swidget->num_output_pins));
base_cfg_ext = kzalloc(ext_size, GFP_KERNEL);
if (!base_cfg_ext) {
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
2023-09-15 19:09 [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() Gustavo A. R. Silva
@ 2023-09-15 19:14 ` Kees Cook
2023-09-29 19:14 ` Kees Cook
2023-10-02 15:17 ` Mark Brown
2 siblings, 0 replies; 8+ messages in thread
From: Kees Cook @ 2023-09-15 19:14 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Pierre-Louis Bossart, Liam Girdwood, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Daniel Baluta, Kai Vehmanen, Mark Brown,
Jaroslav Kysela, Takashi Iwai, sound-open-firmware, alsa-devel,
linux-kernel, linux-hardening
On Fri, Sep 15, 2023 at 01:09:11PM -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
>
> Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension")
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
2023-09-15 19:09 [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() Gustavo A. R. Silva
2023-09-15 19:14 ` Kees Cook
@ 2023-09-29 19:14 ` Kees Cook
2023-10-01 10:25 ` Mark Brown
2023-10-02 15:17 ` Mark Brown
2 siblings, 1 reply; 8+ messages in thread
From: Kees Cook @ 2023-09-29 19:14 UTC (permalink / raw)
To: Pierre-Louis Bossart, Liam Girdwood, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Daniel Baluta, Kai Vehmanen, Mark Brown,
Jaroslav Kysela, Takashi Iwai, Gustavo A. R. Silva
Cc: Kees Cook, sound-open-firmware, alsa-devel, linux-kernel,
linux-hardening
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
>
>
Applied to for-next/hardening, thanks!
[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
https://git.kernel.org/kees/c/93d2858dd630
Take care,
--
Kees Cook
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
2023-09-29 19:14 ` Kees Cook
@ 2023-10-01 10:25 ` Mark Brown
2023-10-01 20:37 ` Kees Cook
0 siblings, 1 reply; 8+ messages in thread
From: Mark Brown @ 2023-10-01 10:25 UTC (permalink / raw)
To: Kees Cook
Cc: Pierre-Louis Bossart, Liam Girdwood, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Daniel Baluta, Kai Vehmanen, Jaroslav Kysela,
Takashi Iwai, Gustavo A. R. Silva, sound-open-firmware,
alsa-devel, linux-kernel, linux-hardening
[-- Attachment #1: Type: text/plain, Size: 527 bytes --]
On Fri, Sep 29, 2023 at 12:14:59PM -0700, Kees Cook wrote:
> On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
> > If, for any reason, the open-coded arithmetic causes a wraparound,
> > the protection that `struct_size()` adds against potential integer
> > overflows is defeated. Fix this by hardening call to `struct_size()`
> > with `size_add()`.
> [1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
> https://git.kernel.org/kees/c/93d2858dd630
Why is this bypassing the ASoC tree?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
2023-10-01 10:25 ` Mark Brown
@ 2023-10-01 20:37 ` Kees Cook
2023-10-02 10:59 ` Mark Brown
0 siblings, 1 reply; 8+ messages in thread
From: Kees Cook @ 2023-10-01 20:37 UTC (permalink / raw)
To: Mark Brown
Cc: Pierre-Louis Bossart, Liam Girdwood, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Daniel Baluta, Kai Vehmanen, Jaroslav Kysela,
Takashi Iwai, Gustavo A. R. Silva, sound-open-firmware,
alsa-devel, linux-kernel, linux-hardening
On Sun, Oct 01, 2023 at 11:25:59AM +0100, Mark Brown wrote:
> On Fri, Sep 29, 2023 at 12:14:59PM -0700, Kees Cook wrote:
> > On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
>
> > > If, for any reason, the open-coded arithmetic causes a wraparound,
> > > the protection that `struct_size()` adds against potential integer
> > > overflows is defeated. Fix this by hardening call to `struct_size()`
> > > with `size_add()`.
>
> > [1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
> > https://git.kernel.org/kees/c/93d2858dd630
>
> Why is this bypassing the ASoC tree?
Hi! Sorry, I can drop it if you want to take it? I tend to collect trivial
hardening changes with reviews that haven't been otherwise commented on
for at least 2 weeks.
-Kees
--
Kees Cook
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
2023-10-01 20:37 ` Kees Cook
@ 2023-10-02 10:59 ` Mark Brown
0 siblings, 0 replies; 8+ messages in thread
From: Mark Brown @ 2023-10-02 10:59 UTC (permalink / raw)
To: Kees Cook
Cc: Pierre-Louis Bossart, Liam Girdwood, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Daniel Baluta, Kai Vehmanen, Jaroslav Kysela,
Takashi Iwai, Gustavo A. R. Silva, sound-open-firmware,
alsa-devel, linux-kernel, linux-hardening
[-- Attachment #1: Type: text/plain, Size: 503 bytes --]
On Sun, Oct 01, 2023 at 01:37:04PM -0700, Kees Cook wrote:
> On Sun, Oct 01, 2023 at 11:25:59AM +0100, Mark Brown wrote:
> > Why is this bypassing the ASoC tree?
> Hi! Sorry, I can drop it if you want to take it? I tend to collect trivial
> hardening changes with reviews that haven't been otherwise commented on
> for at least 2 weeks.
Yes, it's in my queue - 2 weeks is really rather fast between people not
being available and waiting for driver authors to review if they
normally look at things.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
2023-09-15 19:09 [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() Gustavo A. R. Silva
2023-09-15 19:14 ` Kees Cook
2023-09-29 19:14 ` Kees Cook
@ 2023-10-02 15:17 ` Mark Brown
2023-10-02 16:49 ` Kees Cook
2 siblings, 1 reply; 8+ messages in thread
From: Mark Brown @ 2023-10-02 15:17 UTC (permalink / raw)
To: Pierre-Louis Bossart, Liam Girdwood, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Daniel Baluta, Kai Vehmanen, Jaroslav Kysela,
Takashi Iwai, Gustavo A. R. Silva
Cc: sound-open-firmware, alsa-devel, linux-kernel, linux-hardening
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
>
>
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
Thanks!
[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
commit: 3746284c233d5cf5f456400e61cd4a46a69c6e8c
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
2023-10-02 15:17 ` Mark Brown
@ 2023-10-02 16:49 ` Kees Cook
0 siblings, 0 replies; 8+ messages in thread
From: Kees Cook @ 2023-10-02 16:49 UTC (permalink / raw)
To: Mark Brown
Cc: Pierre-Louis Bossart, Liam Girdwood, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Daniel Baluta, Kai Vehmanen, Jaroslav Kysela,
Takashi Iwai, Gustavo A. R. Silva, sound-open-firmware,
alsa-devel, linux-kernel, linux-hardening
On Mon, Oct 02, 2023 at 04:17:24PM +0100, Mark Brown wrote:
> On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
> > If, for any reason, the open-coded arithmetic causes a wraparound,
> > the protection that `struct_size()` adds against potential integer
> > overflows is defeated. Fix this by hardening call to `struct_size()`
> > with `size_add()`.
> >
> >
>
> Applied to
>
> https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
>
> Thanks!
>
> [1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
> commit: 3746284c233d5cf5f456400e61cd4a46a69c6e8c
Thanks! I've dropped it from my tree.
-Kees
--
Kees Cook
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-10-02 16:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-15 19:09 [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() Gustavo A. R. Silva
2023-09-15 19:14 ` Kees Cook
2023-09-29 19:14 ` Kees Cook
2023-10-01 10:25 ` Mark Brown
2023-10-01 20:37 ` Kees Cook
2023-10-02 10:59 ` Mark Brown
2023-10-02 15:17 ` Mark Brown
2023-10-02 16:49 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).