From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27E65C433EF for ; Wed, 27 Apr 2022 07:26:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358756AbiD0H3T (ORCPT ); Wed, 27 Apr 2022 03:29:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35020 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236000AbiD0H3R (ORCPT ); Wed, 27 Apr 2022 03:29:17 -0400 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96CBF44769 for ; Wed, 27 Apr 2022 00:26:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1651044367; x=1682580367; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=2/IRGZCMyAEwQk5AnwH4BPYPn0JlnnUPyH5HN+F/tJY=; b=DHB6ql2+2SNH33SmmR71FXytjsDzKYx3TMDQP3UE5DMyNl3wpfl1wI8K d9bASeQvuD6HynBE2SsxiGwt+swwRLJScuHKcqKGVAJ3I5yUZJwZDUO8C gqJCdE+UZjiuI/2UnOmljc2Qn5TtTPaCi4D3TWEJplhNOFgV5hWO6f612 cSs2ZeM3seSwthYHwdg3Wq4o449psMcsGaM8O++6eh7Iq9d0f//G5YyCt Bm69RdHUCI/J3WjiblJA7/d/yQl7wYaMoJEWm93yi5dCWh6lqFjZwcrzZ L4aunZfSx12QfRAL7RtkRhxONJU8JhFcHYT3Ylekv//aJ0H8diSZZ4R1w A==; X-IronPort-AV: E=McAfee;i="6400,9594,10329"; a="264691969" X-IronPort-AV: E=Sophos;i="5.90,292,1643702400"; d="scan'208";a="264691969" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2022 00:26:07 -0700 X-IronPort-AV: E=Sophos;i="5.90,292,1643702400"; d="scan'208";a="705424932" Received: from rdegreef-mobl1.ger.corp.intel.com (HELO [10.252.32.27]) ([10.252.32.27]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2022 00:26:04 -0700 Message-ID: Date: Wed, 27 Apr 2022 10:26:28 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Subject: Re: out-of-bounds access in sound/soc/sof/topology.c Content-Language: en-US To: Sergey Senozhatsky , Pierre-Louis Bossart Cc: alsa-devel@alsa-project.org, Kai Vehmanen , linux-kernel@vger.kernel.org, Ranjani Sridharan , Takashi Iwai , Liam Girdwood , Mark Brown , Ricardo Ribalda , Tomasz Figa , Jaska Uimonen , sound-open-firmware@alsa-project.org References: <8eeb08ec-4836-cf7d-2285-8ed74ccfc1cb@linux.intel.com> <8986a1c6-b546-7a66-a778-048487624c95@linux.intel.com> From: =?UTF-8?Q?P=c3=a9ter_Ujfalusi?= In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 27/04/2022 09:55, Sergey Senozhatsky wrote: > On (22/04/19 08:07), Pierre-Louis Bossart wrote: >>> Your analyzes are spot on, unfortunately. But... >>> >>> As of today, the sof_get_control_data() is in the call path of >>> (ipc3-topology.c): >>> >>> sof_widget_update_ipc_comp_process() -> sof_process_load() -> >>> sof_get_control_data() >>> >>> sof_widget_update_ipc_comp_process() is the ipc_setup callback for >>> snd_soc_dapm_effect. If I'm not mistaken these only carries bin payload >>> and never MIXER/ENUM/SWITCH/VOLUME. >>> This means that the sof_get_control_data() is only called with >>> SND_SOC_TPLG_TYPE_BYTES and for that the allocated data area is correct. >>> >>> This can explain why we have not seen any issues so far. This does not >>> renders the code right, as how it is written atm is wrong. >> >> >> Sergey's results with KASAN show that there's a real-life problem though. I also don't understand how that might happen. >> >> Could it be that these results are with a specific topology where our assumptions are incorrect? > > Is there anything I can do to help? I will send a patch shortly, I think it is going to be easy to backport for you and test it. -- Péter From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 00008C433F5 for ; Wed, 27 Apr 2022 07:27:09 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 3507C17C6; Wed, 27 Apr 2022 09:26:18 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 3507C17C6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1651044428; bh=2/IRGZCMyAEwQk5AnwH4BPYPn0JlnnUPyH5HN+F/tJY=; h=Date:Subject:To:References:From:In-Reply-To:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=XAU4A2NXWF7z2ZFzYlM+EuftCI95ASunwVt9uvNIJzdUvE/+k1oorSwG2TzY/53SP I6WYu5vK8Imlb95jvDYSsjvWAKW0bV1WEW5j2mH4zcf8VMsaKxLXk0jYzV+5VmFVHP 5jfNVQOt9vlBNIMfAIxr3u68qogWJwpA7jXMAHAQ= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id DDDF5F80253; Wed, 27 Apr 2022 09:26:16 +0200 (CEST) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 0E1BBF8016E; Wed, 27 Apr 2022 09:26:15 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id A2230F800AE; Wed, 27 Apr 2022 09:26:09 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz A2230F800AE Authentication-Results: alsa1.perex.cz; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="RNtGq4ms" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1651044373; x=1682580373; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=2/IRGZCMyAEwQk5AnwH4BPYPn0JlnnUPyH5HN+F/tJY=; b=RNtGq4msUMUThDhUlTvXx0YroSa5f54AJpnX5pTzhCPBQ4wu/oLMU+fe 684qeZImDk3xYk57Gj9QaNuF+/Oxsgh63uGr83j3qZgT2CD/s2cpJe5q+ PGrVOfrQopsCjOHLDggLCRO8wLCqbDo49ZUjTTgbE2D2p+PQF28fKg4Cc 5Z9w7aNCEleyUHNpWreTu/an9FdRxXasVA2bXbM8/aZpEgfirg7PXBf1y pXIw0Seu4nPMSqjiU4BDID0YtA2jkph4faSXhqrLmanq3QE92jDnBHIFA ugM6sjQ3Evr5HIU7dLdnTPIHPtuTl2iXMVurUw5gXlYH2qSa2OQo8dTB3 g==; X-IronPort-AV: E=McAfee;i="6400,9594,10329"; a="328788818" X-IronPort-AV: E=Sophos;i="5.90,292,1643702400"; d="scan'208";a="328788818" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2022 00:26:07 -0700 X-IronPort-AV: E=Sophos;i="5.90,292,1643702400"; d="scan'208";a="705424932" Received: from rdegreef-mobl1.ger.corp.intel.com (HELO [10.252.32.27]) ([10.252.32.27]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Apr 2022 00:26:04 -0700 Message-ID: Date: Wed, 27 Apr 2022 10:26:28 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Subject: Re: out-of-bounds access in sound/soc/sof/topology.c Content-Language: en-US To: Sergey Senozhatsky , Pierre-Louis Bossart References: <8eeb08ec-4836-cf7d-2285-8ed74ccfc1cb@linux.intel.com> <8986a1c6-b546-7a66-a778-048487624c95@linux.intel.com> From: =?UTF-8?Q?P=c3=a9ter_Ujfalusi?= In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: alsa-devel@alsa-project.org, Kai Vehmanen , Takashi Iwai , linux-kernel@vger.kernel.org, Liam Girdwood , Mark Brown , Ranjani Sridharan , Ricardo Ribalda , Tomasz Figa , Jaska Uimonen , sound-open-firmware@alsa-project.org X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" On 27/04/2022 09:55, Sergey Senozhatsky wrote: > On (22/04/19 08:07), Pierre-Louis Bossart wrote: >>> Your analyzes are spot on, unfortunately. But... >>> >>> As of today, the sof_get_control_data() is in the call path of >>> (ipc3-topology.c): >>> >>> sof_widget_update_ipc_comp_process() -> sof_process_load() -> >>> sof_get_control_data() >>> >>> sof_widget_update_ipc_comp_process() is the ipc_setup callback for >>> snd_soc_dapm_effect. If I'm not mistaken these only carries bin payload >>> and never MIXER/ENUM/SWITCH/VOLUME. >>> This means that the sof_get_control_data() is only called with >>> SND_SOC_TPLG_TYPE_BYTES and for that the allocated data area is correct. >>> >>> This can explain why we have not seen any issues so far. This does not >>> renders the code right, as how it is written atm is wrong. >> >> >> Sergey's results with KASAN show that there's a real-life problem though. I also don't understand how that might happen. >> >> Could it be that these results are with a specific topology where our assumptions are incorrect? > > Is there anything I can do to help? I will send a patch shortly, I think it is going to be easy to backport for you and test it. -- Péter