From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27E65C433EF for ; Wed, 27 Apr 2022 07:26:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358756AbiD0H3T (ORCPT ); Wed, 27 Apr 2022 03:29:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35020 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236000AbiD0H3R (ORCPT ); Wed, 27 Apr 2022 03:29:17 -0400 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96CBF44769 for ; Wed, 27 Apr 2022 00:26:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1651044367; x=1682580367; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=2/IRGZCMyAEwQk5AnwH4BPYPn0JlnnUPyH5HN+F/tJY=; b=DHB6ql2+2SNH33SmmR71FXytjsDzKYx3TMDQP3UE5DMyNl3wpfl1wI8K d9bASeQvuD6HynBE2SsxiGwt+swwRLJScuHKcqKGVAJ3I5yUZJwZDUO8C gqJCdE+UZjiuI/2UnOmljc2Qn5TtTPaCi4D3TWEJplhNOFgV5hWO6f612 cSs2ZeM3seSwthYHwdg3Wq4o449psMcsGaM8O++6eh7Iq9d0f//G5YyCt Bm69RdHUCI/J3WjiblJA7/d/yQl7wYaMoJEWm93yi5dCWh6lqFjZwcrzZ L4aunZfSx12QfRAL7RtkRhxONJU8JhFcHYT3Ylekv//aJ0H8diSZZ4R1w A==; X-IronPort-AV: E=McAfee;i="6400,9594,10329"; a="264691969" X-IronPort-AV: E=Sophos;i="5.90,292,1643702400"; d="scan'208";a="264691969" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2022 00:26:07 -0700 X-IronPort-AV: E=Sophos;i="5.90,292,1643702400"; d="scan'208";a="705424932" Received: from rdegreef-mobl1.ger.corp.intel.com (HELO [10.252.32.27]) ([10.252.32.27]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2022 00:26:04 -0700 Message-ID: Date: Wed, 27 Apr 2022 10:26:28 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Subject: Re: out-of-bounds access in sound/soc/sof/topology.c Content-Language: en-US To: Sergey Senozhatsky , Pierre-Louis Bossart Cc: alsa-devel@alsa-project.org, Kai Vehmanen , linux-kernel@vger.kernel.org, Ranjani Sridharan , Takashi Iwai , Liam Girdwood , Mark Brown , Ricardo Ribalda , Tomasz Figa , Jaska Uimonen , sound-open-firmware@alsa-project.org References: <8eeb08ec-4836-cf7d-2285-8ed74ccfc1cb@linux.intel.com> <8986a1c6-b546-7a66-a778-048487624c95@linux.intel.com> From: =?UTF-8?Q?P=c3=a9ter_Ujfalusi?= In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 27/04/2022 09:55, Sergey Senozhatsky wrote: > On (22/04/19 08:07), Pierre-Louis Bossart wrote: >>> Your analyzes are spot on, unfortunately. But... >>> >>> As of today, the sof_get_control_data() is in the call path of >>> (ipc3-topology.c): >>> >>> sof_widget_update_ipc_comp_process() -> sof_process_load() -> >>> sof_get_control_data() >>> >>> sof_widget_update_ipc_comp_process() is the ipc_setup callback for >>> snd_soc_dapm_effect. If I'm not mistaken these only carries bin payload >>> and never MIXER/ENUM/SWITCH/VOLUME. >>> This means that the sof_get_control_data() is only called with >>> SND_SOC_TPLG_TYPE_BYTES and for that the allocated data area is correct. >>> >>> This can explain why we have not seen any issues so far. This does not >>> renders the code right, as how it is written atm is wrong. >> >> >> Sergey's results with KASAN show that there's a real-life problem though. I also don't understand how that might happen. >> >> Could it be that these results are with a specific topology where our assumptions are incorrect? > > Is there anything I can do to help? I will send a patch shortly, I think it is going to be easy to backport for you and test it. -- Péter