From: Takashi Iwai <tiwai@suse.de>
To: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Cc: alsa-devel@alsa-project.org, andriy.shevchenko@intel.com,
Daniel Baluta <daniel.baluta@gmail.com>,
liam.r.girdwood@linux.intel.com, vkoul@kernel.org,
broonie@kernel.org, Alan Cox <alan@linux.intel.com>,
sound-open-firmware@alsa-project.org
Subject: Re: [PATCH v3 02/14] ASoC: SOF: Add Sound Open Firmware KControl support
Date: Wed, 12 Dec 2018 08:35:24 +0100 [thread overview]
Message-ID: <s5hftv3urib.wl-tiwai@suse.de> (raw)
In-Reply-To: <20181211212318.28644-3-pierre-louis.bossart@linux.intel.com>
On Tue, 11 Dec 2018 22:23:06 +0100,
Pierre-Louis Bossart wrote:
>
> +int snd_sof_enum_get(struct snd_kcontrol *kcontrol,
> + struct snd_ctl_elem_value *ucontrol)
> +{
....
> + /* read back each channel */
> + for (i = 0; i < channels; i++)
> + ucontrol->value.integer.value[i] = cdata->chanv[i].value;
enum type needs to access ucontrol->value.enumerated.item[i].
This has a different size, hence using integer.value[] would be broken
on BE archs.
> +int snd_sof_enum_put(struct snd_kcontrol *kcontrol,
> + struct snd_ctl_elem_value *ucontrol)
> +{
....
> + /* update each channel */
> + for (i = 0; i < channels; i++)
> + cdata->chanv[i].value = ucontrol->value.integer.value[i];
Ditto.
> +int snd_sof_bytes_get(struct snd_kcontrol *kcontrol,
> + struct snd_ctl_elem_value *ucontrol)
> +{
....
> + size = data->size + sizeof(*data);
> + if (size > be->max) {
> + dev_err(sdev->dev, "error: DSP sent %zu bytes max is %d\n",
> + size, be->max);
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + /* copy back to kcontrol */
> + memcpy(ucontrol->value.bytes.data, data, size);
I *hope* that the data size max was already examined not to exceed
ucontrol data array size beforehand. But a sanity check to catch a
buffer overflow here won't hurt.
Ditto for *_put().
> +int snd_sof_bytes_ext_put(struct snd_kcontrol *kcontrol,
> + const unsigned int __user *binary_data,
> + unsigned int size)
> +{
> + struct soc_bytes_ext *be =
> + (struct soc_bytes_ext *)kcontrol->private_value;
> + struct snd_sof_control *scontrol = be->dobj.private;
> + struct snd_sof_dev *sdev = scontrol->sdev;
> + struct sof_ipc_ctrl_data *cdata = scontrol->control_data;
> + struct snd_ctl_tlv header;
> + struct snd_ctl_tlv __user *tlvd =
> + (struct snd_ctl_tlv __user *)binary_data;
Don't drop const.
> + int ret;
> + int err;
> + int max_size = SOF_IPC_MSG_MAX_SIZE -
> + sizeof(const struct sof_ipc_ctrl_data);
> +
> + ret = pm_runtime_get_sync(sdev->dev);
> + if (ret < 0) {
> + dev_err(sdev->dev, "error: bytes_ext put failed to resume %d\n",
> + ret);
> + return ret;
> + }
> +
> + /* The beginning of bytes data contains a header from where
> + * the length (as bytes) is needed to know the correct copy
> + * length of data from tlvd->tlv.
> + */
> + if (copy_from_user(&header, tlvd, sizeof(const struct snd_ctl_tlv))) {
> + ret = -EFAULT;
> + goto out;
> + }
> + /* The maximum length that can be copied is limited by IPC max
> + * length and topology defined length for ext bytes control.
> + */
> + max_size = (be->max < max_size) ? be->max : max_size;
> + if (header.length > max_size) {
> + dev_err(sdev->dev, "error: Bytes data size %d exceeds max %d.\n",
> + header.length, max_size);
> + ret = -EINVAL;
> + goto out;
Here user can pass a malicious data, and printing the error at each
time would flood the kernel log. The error message can be dropped or
make debug, or use ratelimited version.
Ditto for the rest checks.
thanks,
Takashi
next prev parent reply other threads:[~2018-12-12 7:35 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 21:23 [PATCH v3 00/14] Sound Open Firmware (SOF) core Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 01/14] ASoC: SOF: Add Sound Open Firmware driver core Pierre-Louis Bossart
2018-12-11 22:20 ` Andy Shevchenko
2018-12-11 23:20 ` Pierre-Louis Bossart
2018-12-12 7:51 ` Takashi Iwai
2018-12-12 14:53 ` Pierre-Louis Bossart
2018-12-12 20:42 ` Daniel Baluta
2018-12-12 22:35 ` Pierre-Louis Bossart
2019-01-29 16:49 ` Daniel Baluta
2019-01-30 16:12 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 02/14] ASoC: SOF: Add Sound Open Firmware KControl support Pierre-Louis Bossart
2018-12-11 22:23 ` Andy Shevchenko
2018-12-11 22:48 ` Pierre-Louis Bossart
2018-12-11 23:25 ` Andy Shevchenko
2018-12-12 20:18 ` Pierre-Louis Bossart
2018-12-12 7:35 ` Takashi Iwai [this message]
2018-12-12 15:01 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 03/14] ASoC: SOF: Add driver debug support Pierre-Louis Bossart
2018-12-11 22:32 ` Andy Shevchenko
2018-12-11 23:29 ` Pierre-Louis Bossart
2019-01-09 19:40 ` Mark Brown
2019-01-10 20:47 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 04/14] ASoC: SOF: Add support for IPC IO between DSP and Host Pierre-Louis Bossart
2018-12-11 22:57 ` Andy Shevchenko
2018-12-11 23:38 ` Pierre-Louis Bossart
2018-12-12 8:17 ` Takashi Iwai
2018-12-12 15:19 ` Pierre-Louis Bossart
2018-12-12 15:34 ` Takashi Iwai
2018-12-13 5:24 ` Keyon Jie
2018-12-13 7:48 ` Takashi Iwai
2018-12-13 9:13 ` Keyon Jie
2018-12-13 8:06 ` Keyon Jie
2018-12-13 8:59 ` rander.wang
2019-01-09 20:37 ` Mark Brown
2019-01-10 20:11 ` Pierre-Louis Bossart
2019-01-22 19:04 ` Mark Brown
2019-01-22 21:05 ` Pierre-Louis Bossart
2019-01-22 21:13 ` Mark Brown
2019-01-23 5:51 ` [Sound-open-firmware] " Keyon Jie
2019-01-14 15:10 ` Daniel Baluta
2019-01-14 17:39 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 05/14] ASoC: SOF: Add PCM operations support Pierre-Louis Bossart
2018-12-12 8:04 ` Takashi Iwai
2018-12-12 13:12 ` Andy Shevchenko
2018-12-12 15:29 ` [Sound-open-firmware] " Pierre-Louis Bossart
2018-12-12 15:43 ` Takashi Iwai
2018-12-12 16:10 ` Pierre-Louis Bossart
2018-12-12 22:09 ` Daniel Baluta
2018-12-11 21:23 ` [PATCH v3 06/14] ASoC: SOF: Add support for loading topologies Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 07/14] ASoC: SOF: Add DSP firmware logger support Pierre-Louis Bossart
2018-12-11 23:21 ` Andy Shevchenko
2018-12-11 23:43 ` Pierre-Louis Bossart
2018-12-12 6:44 ` Takashi Iwai
2018-12-12 11:11 ` Takashi Iwai
2018-12-12 16:04 ` [Sound-open-firmware] " Pierre-Louis Bossart
2018-12-12 16:12 ` Takashi Iwai
2018-12-12 17:01 ` Pierre-Louis Bossart
2019-01-09 20:44 ` Mark Brown
2019-01-09 21:39 ` Pierre-Louis Bossart
2019-01-22 18:57 ` Mark Brown
2019-01-22 20:33 ` Pierre-Louis Bossart
2019-01-22 20:41 ` Mark Brown
2019-01-22 20:52 ` Pierre-Louis Bossart
2019-01-22 21:08 ` Mark Brown
2019-01-22 21:13 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 08/14] ASoC: SOF: Add DSP HW abstraction operations Pierre-Louis Bossart
2018-12-11 23:16 ` Andy Shevchenko
2018-12-11 23:45 ` Pierre-Louis Bossart
2019-01-09 20:51 ` Mark Brown
2019-01-09 21:37 ` Pierre-Louis Bossart
2019-01-22 18:56 ` Mark Brown
2018-12-11 21:23 ` [PATCH v3 09/14] ASoC: SOF: Add firmware loader support Pierre-Louis Bossart
2018-12-11 22:38 ` Andy Shevchenko
2018-12-11 23:54 ` Pierre-Louis Bossart
2019-01-09 20:55 ` Mark Brown
2018-12-12 11:23 ` Takashi Iwai
2018-12-12 16:06 ` [Sound-open-firmware] " Pierre-Louis Bossart
2019-01-09 21:02 ` Mark Brown
2019-01-09 21:24 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 10/14] ASoC: SOF: Add userspace ABI support Pierre-Louis Bossart
2018-12-21 11:10 ` Daniel Baluta
2018-12-21 14:59 ` [Sound-open-firmware] " Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 11/14] ASoC: SOF: Add PM support Pierre-Louis Bossart
2018-12-12 11:32 ` Takashi Iwai
2018-12-12 16:08 ` Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 12/14] ASoC: SOF: Add Nocodec machine driver support Pierre-Louis Bossart
2018-12-11 21:23 ` [PATCH v3 13/14] ASoC: SOF: Add xtensa support Pierre-Louis Bossart
2018-12-11 23:08 ` Andy Shevchenko
2018-12-12 0:00 ` Pierre-Louis Bossart
[not found] ` <93aff9af-c693-c951-4821-e9e334133ed0@linux.intel.com>
2018-12-13 9:58 ` [Sound-open-firmware] " rander.wang
2018-12-17 13:45 ` Takashi Iwai
2018-12-17 14:24 ` Mark Brown
2018-12-11 21:23 ` [PATCH v3 14/14] ASoC: SOF: Add utils Pierre-Louis Bossart
2018-12-11 23:06 ` Andy Shevchenko
2018-12-12 0:06 ` Pierre-Louis Bossart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s5hftv3urib.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=alan@linux.intel.com \
--cc=alsa-devel@alsa-project.org \
--cc=andriy.shevchenko@intel.com \
--cc=broonie@kernel.org \
--cc=daniel.baluta@gmail.com \
--cc=liam.r.girdwood@linux.intel.com \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=sound-open-firmware@alsa-project.org \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox