From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
To: Takashi Iwai <tiwai@suse.de>
Cc: Daniel Baluta <daniel.baluta@gmail.com>,
andriy.shevchenko@intel.com, alsa-devel@alsa-project.org,
liam.r.girdwood@linux.intel.com, vkoul@kernel.org,
broonie@kernel.org, sound-open-firmware@alsa-project.org,
Alan Cox <alan@linux.intel.com>
Subject: Re: [PATCH v3 02/14] ASoC: SOF: Add Sound Open Firmware KControl support
Date: Wed, 12 Dec 2018 09:01:25 -0600 [thread overview]
Message-ID: <e352861d-b34d-9ad2-ae16-6e51a52ce3d5@linux.intel.com> (raw)
In-Reply-To: <s5hftv3urib.wl-tiwai@suse.de>
On 12/12/18 1:35 AM, Takashi Iwai wrote:
> On Tue, 11 Dec 2018 22:23:06 +0100,
> Pierre-Louis Bossart wrote:
>> +int snd_sof_enum_get(struct snd_kcontrol *kcontrol,
>> + struct snd_ctl_elem_value *ucontrol)
>> +{
> ....
>> + /* read back each channel */
>> + for (i = 0; i < channels; i++)
>> + ucontrol->value.integer.value[i] = cdata->chanv[i].value;
> enum type needs to access ucontrol->value.enumerated.item[i].
> This has a different size, hence using integer.value[] would be broken
> on BE archs.
oops. likely a copy/paste...
>
>> +int snd_sof_enum_put(struct snd_kcontrol *kcontrol,
>> + struct snd_ctl_elem_value *ucontrol)
>> +{
> ....
>> + /* update each channel */
>> + for (i = 0; i < channels; i++)
>> + cdata->chanv[i].value = ucontrol->value.integer.value[i];
> Ditto.
same here
>
>> +int snd_sof_bytes_get(struct snd_kcontrol *kcontrol,
>> + struct snd_ctl_elem_value *ucontrol)
>> +{
> ....
>> + size = data->size + sizeof(*data);
>> + if (size > be->max) {
>> + dev_err(sdev->dev, "error: DSP sent %zu bytes max is %d\n",
>> + size, be->max);
>> + ret = -EINVAL;
>> + goto out;
>> + }
>> +
>> + /* copy back to kcontrol */
>> + memcpy(ucontrol->value.bytes.data, data, size);
> I *hope* that the data size max was already examined not to exceed
> ucontrol data array size beforehand. But a sanity check to catch a
> buffer overflow here won't hurt.
> Ditto for *_put().
i think we do just that in the 'if' case just above the memcpy, but
we'll double-check.
>
>> +int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol,
>> + const unsigned int __user *binary_data,
>> + unsigned int size)
>> +{
>> + struct soc_bytes_ext *be =
>> + (struct soc_bytes_ext *)kcontrol->private_value;
>> + struct snd_sof_control *scontrol = be->dobj.private;
>> + struct snd_sof_dev *sdev = scontrol->sdev;
>> + struct sof_ipc_ctrl_data *cdata = scontrol->control_data;
>> + struct snd_ctl_tlv header;
>> + struct snd_ctl_tlv __user *tlvd =
>> + (struct snd_ctl_tlv __user *)binary_data;
> Don't drop const.
Ah, I added this cast to make a sparse warning go away, not sure why the
const was removed.
I'll double-check again, thanks.
>
>> + int ret;
>> + int err;
>> + int max_size = SOF_IPC_MSG_MAX_SIZE -
>> + sizeof(const struct sof_ipc_ctrl_data);
>> +
>> + ret = pm_runtime_get_sync(sdev->dev);
>> + if (ret < 0) {
>> + dev_err(sdev->dev, "error: bytes_ext put failed to resume %d\n",
>> + ret);
>> + return ret;
>> + }
>> +
>> + /* The beginning of bytes data contains a header from where
>> + * the length (as bytes) is needed to know the correct copy
>> + * length of data from tlvd->tlv.
>> + */
>> + if (copy_from_user(&header, tlvd, sizeof(const struct snd_ctl_tlv))) {
>> + ret = -EFAULT;
>> + goto out;
>> + }
>> + /* The maximum length that can be copied is limited by IPC max
>> + * length and topology defined length for ext bytes control.
>> + */
>> + max_size = (be->max < max_size) ? be->max : max_size;
>> + if (header.length > max_size) {
>> + dev_err(sdev->dev, "error: Bytes data size %d exceeds max %d.\n",
>> + header.length, max_size);
>> + ret = -EINVAL;
>> + goto out;
> Here user can pass a malicious data, and printing the error at each
> time would flood the kernel log. The error message can be dropped or
> make debug, or use ratelimited version.
> Ditto for the rest checks.
Good point, we'll fix this.
next prev parent reply other threads:[~2018-12-12 15:01 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 21:23 [PATCH v3 00/14] Sound Open Firmware (SOF) core Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 01/14] ASoC: SOF: Add Sound Open Firmware driver core Pierre-Louis Bossart
2018-12-11 22:20 ` Andy Shevchenko
2018-12-11 23:20 ` Pierre-Louis Bossart
2018-12-12 7:51 ` Takashi Iwai
2018-12-12 14:53 ` Pierre-Louis Bossart
2018-12-12 20:42 ` Daniel Baluta
2018-12-12 22:35 ` Pierre-Louis Bossart
2019-01-29 16:49 ` Daniel Baluta
2019-01-30 16:12 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 02/14] ASoC: SOF: Add Sound Open Firmware KControl support Pierre-Louis Bossart
2018-12-11 22:23 ` Andy Shevchenko
2018-12-11 22:48 ` Pierre-Louis Bossart
2018-12-11 23:25 ` Andy Shevchenko
2018-12-12 20:18 ` Pierre-Louis Bossart
2018-12-12 7:35 ` Takashi Iwai
2018-12-12 15:01 ` Pierre-Louis Bossart [this message]
2018-12-11 21:23 ` [PATCH v3 03/14] ASoC: SOF: Add driver debug support Pierre-Louis Bossart
2018-12-11 22:32 ` Andy Shevchenko
2018-12-11 23:29 ` Pierre-Louis Bossart
2019-01-09 19:40 ` Mark Brown
2019-01-10 20:47 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 04/14] ASoC: SOF: Add support for IPC IO between DSP and Host Pierre-Louis Bossart
2018-12-11 22:57 ` Andy Shevchenko
2018-12-11 23:38 ` Pierre-Louis Bossart
2018-12-12 8:17 ` Takashi Iwai
2018-12-12 15:19 ` Pierre-Louis Bossart
2018-12-12 15:34 ` Takashi Iwai
2018-12-13 5:24 ` Keyon Jie
2018-12-13 7:48 ` Takashi Iwai
2018-12-13 9:13 ` Keyon Jie
2018-12-13 8:06 ` Keyon Jie
2018-12-13 8:59 ` rander.wang
2019-01-09 20:37 ` Mark Brown
2019-01-10 20:11 ` Pierre-Louis Bossart
2019-01-22 19:04 ` Mark Brown
2019-01-22 21:05 ` Pierre-Louis Bossart
2019-01-22 21:13 ` Mark Brown
2019-01-23 5:51 ` [Sound-open-firmware] " Keyon Jie
2019-01-14 15:10 ` Daniel Baluta
2019-01-14 17:39 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 05/14] ASoC: SOF: Add PCM operations support Pierre-Louis Bossart
2018-12-12 8:04 ` Takashi Iwai
2018-12-12 13:12 ` Andy Shevchenko
2018-12-12 15:29 ` [Sound-open-firmware] " Pierre-Louis Bossart
2018-12-12 15:43 ` Takashi Iwai
2018-12-12 16:10 ` Pierre-Louis Bossart
2018-12-12 22:09 ` Daniel Baluta
2018-12-11 21:23 ` [PATCH v3 06/14] ASoC: SOF: Add support for loading topologies Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 07/14] ASoC: SOF: Add DSP firmware logger support Pierre-Louis Bossart
2018-12-11 23:21 ` Andy Shevchenko
2018-12-11 23:43 ` Pierre-Louis Bossart
2018-12-12 6:44 ` Takashi Iwai
2018-12-12 11:11 ` Takashi Iwai
2018-12-12 16:04 ` [Sound-open-firmware] " Pierre-Louis Bossart
2018-12-12 16:12 ` Takashi Iwai
2018-12-12 17:01 ` Pierre-Louis Bossart
2019-01-09 20:44 ` Mark Brown
2019-01-09 21:39 ` Pierre-Louis Bossart
2019-01-22 18:57 ` Mark Brown
2019-01-22 20:33 ` Pierre-Louis Bossart
2019-01-22 20:41 ` Mark Brown
2019-01-22 20:52 ` Pierre-Louis Bossart
2019-01-22 21:08 ` Mark Brown
2019-01-22 21:13 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 08/14] ASoC: SOF: Add DSP HW abstraction operations Pierre-Louis Bossart
2018-12-11 23:16 ` Andy Shevchenko
2018-12-11 23:45 ` Pierre-Louis Bossart
2019-01-09 20:51 ` Mark Brown
2019-01-09 21:37 ` Pierre-Louis Bossart
2019-01-22 18:56 ` Mark Brown
2018-12-11 21:23 ` [PATCH v3 09/14] ASoC: SOF: Add firmware loader support Pierre-Louis Bossart
2018-12-11 22:38 ` Andy Shevchenko
2018-12-11 23:54 ` Pierre-Louis Bossart
2019-01-09 20:55 ` Mark Brown
2018-12-12 11:23 ` Takashi Iwai
2018-12-12 16:06 ` [Sound-open-firmware] " Pierre-Louis Bossart
2019-01-09 21:02 ` Mark Brown
2019-01-09 21:24 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 10/14] ASoC: SOF: Add userspace ABI support Pierre-Louis Bossart
2018-12-21 11:10 ` Daniel Baluta
2018-12-21 14:59 ` [Sound-open-firmware] " Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 11/14] ASoC: SOF: Add PM support Pierre-Louis Bossart
2018-12-12 11:32 ` Takashi Iwai
2018-12-12 16:08 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 12/14] ASoC: SOF: Add Nocodec machine driver support Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 13/14] ASoC: SOF: Add xtensa support Pierre-Louis Bossart
2018-12-11 23:08 ` Andy Shevchenko
2018-12-12 0:00 ` Pierre-Louis Bossart
[not found] ` <93aff9af-c693-c951-4821-e9e334133ed0@linux.intel.com>
2018-12-13 9:58 ` [Sound-open-firmware] " rander.wang
2018-12-17 13:45 ` Takashi Iwai
2018-12-17 14:24 ` Mark Brown
2018-12-11 21:23 ` [PATCH v3 14/14] ASoC: SOF: Add utils Pierre-Louis Bossart
2018-12-11 23:06 ` Andy Shevchenko
2018-12-12 0:06 ` Pierre-Louis Bossart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e352861d-b34d-9ad2-ae16-6e51a52ce3d5@linux.intel.com \
--to=pierre-louis.bossart@linux.intel.com \
--cc=alan@linux.intel.com \
--cc=alsa-devel@alsa-project.org \
--cc=andriy.shevchenko@intel.com \
--cc=broonie@kernel.org \
--cc=daniel.baluta@gmail.com \
--cc=liam.r.girdwood@linux.intel.com \
--cc=sound-open-firmware@alsa-project.org \
--cc=tiwai@suse.de \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox