From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>,
Curtis Malainey <cujomalainey@chromium.org>,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
Curtis Malainey <curtis@malainey.com>,
Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>,
lgirdwood@gmail.com, yung-chuan.liao@linux.intel.com,
ranjani.sridharan@linux.intel.com, daniel.baluta@nxp.com,
perex@perex.cz, tiwai@suse.com,
sound-open-firmware@alsa-project.org,
alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 6.1 10/34] ASoC: SOF: ipc3: Check for upper size limit for the received message
Date: Wed, 22 Mar 2023 15:59:02 -0400 [thread overview]
Message-ID: <20230322195926.1996699-10-sashal@kernel.org> (raw)
In-Reply-To: <20230322195926.1996699-1-sashal@kernel.org>
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit 989a3e4479177d0f4afab8be1960731bc0ffbbd0 ]
The sof_ipc3_rx_msg() checks for minimum size of a new rx message but it is
missing the check for upper limit.
Corrupted or compromised firmware might be able to take advantage of this
to cause out of bounds reads outside of the message area.
Reported-by: Curtis Malainey <cujomalainey@chromium.org>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Curtis Malainey <curtis@malainey.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://lore.kernel.org/r/20230307114917.5124-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/ipc3.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c
index b28af3a48b707..60b96b0c2412f 100644
--- a/sound/soc/sof/ipc3.c
+++ b/sound/soc/sof/ipc3.c
@@ -970,8 +970,9 @@ static void sof_ipc3_rx_msg(struct snd_sof_dev *sdev)
return;
}
- if (hdr.size < sizeof(hdr)) {
- dev_err(sdev->dev, "The received message size is invalid\n");
+ if (hdr.size < sizeof(hdr) || hdr.size > SOF_IPC_MSG_MAX_SIZE) {
+ dev_err(sdev->dev, "The received message size is invalid: %u\n",
+ hdr.size);
return;
}
--
2.39.2
next prev parent reply other threads:[~2023-03-22 20:07 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-22 19:58 [PATCH AUTOSEL 6.1 01/34] xfrm: Zero padding when dumping algos and encap Sasha Levin
2023-03-22 19:58 ` [PATCH AUTOSEL 6.1 02/34] ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds Sasha Levin
2023-03-22 19:58 ` [PATCH AUTOSEL 6.1 03/34] ASoC: Intel: avs: max98357a: Explicitly define codec format Sasha Levin
2023-03-22 19:58 ` [PATCH AUTOSEL 6.1 04/34] ASoC: Intel: avs: da7219: " Sasha Levin
2023-03-22 19:58 ` [PATCH AUTOSEL 6.1 05/34] ASoC: Intel: avs: ssm4567: Remove nau8825 bits Sasha Levin
2023-03-22 19:58 ` [PATCH AUTOSEL 6.1 06/34] ASoC: Intel: avs: nau8825: Adjust clock control Sasha Levin
2023-03-22 19:58 ` [PATCH AUTOSEL 6.1 07/34] zstd: Fix definition of assert() Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 08/34] ACPI: video: Add backlight=native DMI quirk for Dell Vostro 15 3535 Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 09/34] ACPI: x86: Add skip i2c clients quirk for Lenovo Yoga Book X90 Sasha Levin
2023-03-22 19:59 ` Sasha Levin [this message]
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 11/34] ASoC: SOF: ipc4-topology: Fix incorrect sample rate print unit Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 12/34] ASoC: SOF: Intel: pci-tng: revert invalid bar size setting Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 13/34] ASoC: SOF: IPC4: update gain ipc msg definition to align with fw Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 14/34] md: avoid signed overflow in slot_store() Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 15/34] x86/PVH: obtain VGA console info in Dom0 Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 16/34] drm/amdkfd: Fix BO offset for multi-VMA page migration Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 17/34] drm/amdkfd: fix a potential double free in pqm_create_queue Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 18/34] drm/amdkfd: fix potential kgd_mem UAFs Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 19/34] net: hsr: Don't log netdev_err message on unknown prp dst node Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 20/34] ALSA: asihpi: check pao in control_message() Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 21/34] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 22/34] fbdev: tgafb: Fix potential divide by zero Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 23/34] ACPI: tools: pfrut: Check if the input of level and type is in the right numeric range Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 24/34] sched_getaffinity: don't assume 'cpumask_size()' is fully initialized Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 25/34] nvme-pci: add NVME_QUIRK_BOGUS_NID for Lexar NM620 Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 26/34] drm/amdkfd: Fixed kfd_process cleanup on module exit Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 27/34] net/mlx5e: Lower maximum allowed MTU in XSK to match XDP prerequisites Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 28/34] fbdev: nvidia: Fix potential divide by zero Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 29/34] fbdev: intelfb: " Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 30/34] fbdev: lxfb: " Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 31/34] fbdev: au1200fb: " Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 32/34] tools/power turbostat: Fix /dev/cpu_dma_latency warnings Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 33/34] tools/power turbostat: fix decoding of HWP_STATUS Sasha Levin
2023-03-22 19:59 ` [PATCH AUTOSEL 6.1 34/34] tracing: Fix wrong return in kprobe_event_gen_test.c Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230322195926.1996699-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=cujomalainey@chromium.org \
--cc=curtis@malainey.com \
--cc=daniel.baluta@nxp.com \
--cc=lgirdwood@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=peter.ujfalusi@linux.intel.com \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=ranjani.sridharan@linux.intel.com \
--cc=sound-open-firmware@alsa-project.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=yung-chuan.liao@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox