From mboxrd@z Thu Jan  1 00:00:00 1970
From: Takashi Iwai <tiwai@suse.de>
Subject: Re: [PATCH v3 09/14] ASoC: SOF: Add firmware loader
	support
Date: Wed, 12 Dec 2018 12:23:33 +0100
Message-ID: <s5htvjjj8ei.wl-tiwai@suse.de>
References: <20181211212318.28644-1-pierre-louis.bossart@linux.intel.com>
 <20181211212318.28644-10-pierre-louis.bossart@linux.intel.com>
Mime-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <alsa-devel-bounces@alsa-project.org>
In-Reply-To: <20181211212318.28644-10-pierre-louis.bossart@linux.intel.com>
List-Unsubscribe: <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
To: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Cc: alsa-devel@alsa-project.org, andriy.shevchenko@intel.com, Daniel Baluta <daniel.baluta@gmail.com>, liam.r.girdwood@linux.intel.com, vkoul@kernel.org, broonie@kernel.org, Alan Cox <alan@linux.intel.com>, sound-open-firmware@alsa-project.org
List-Id: alsa-devel@alsa-project.org

On Tue, 11 Dec 2018 22:23:13 +0100,
Pierre-Louis Bossart wrote:
> 
> +/* generic module parser for mmaped DSPs */
> +int snd_sof_parse_module_memcpy(struct snd_sof_dev *sdev,
> +				struct snd_sof_mod_hdr *module)
> +{
> +	struct snd_sof_blk_hdr *block;
> +	int count;
> +	u32 offset;
> +
> +	dev_dbg(sdev->dev, "new module size 0x%x blocks 0x%x type 0x%x\n",
> +		module->size, module->num_blocks, module->type);
> +
> +	block = (void *)module + sizeof(*module);
> +
> +	for (count = 0; count < module->num_blocks; count++) {

Need a sanity check that it won't go beyond the actual firmware size.
User may pass a malicious module data, e.g. with extra large
num_blocks.

> +		if (block->size == 0) {
> +			dev_warn(sdev->dev,
> +				 "warning: block %d size zero\n", count);
> +			dev_warn(sdev->dev, " type 0x%x offset 0x%x\n",
> +				 block->type, block->offset);
> +			continue;
> +		}
> +
> +		switch (block->type) {
> +		case SOF_BLK_IMAGE:
> +		case SOF_BLK_CACHE:
> +		case SOF_BLK_REGS:
> +		case SOF_BLK_SIG:
> +		case SOF_BLK_ROM:
> +			continue;	/* not handled atm */
> +		case SOF_BLK_TEXT:
> +		case SOF_BLK_DATA:
> +			offset = block->offset;
> +			break;
> +		default:
> +			dev_err(sdev->dev, "error: bad type 0x%x for block 0x%x\n",
> +				block->type, count);
> +			return -EINVAL;
> +		}
> +
> +		dev_dbg(sdev->dev,
> +			"block %d type 0x%x size 0x%x ==>  offset 0x%x\n",
> +			count, block->type, block->size, offset);
> +
> +		snd_sof_dsp_block_write(sdev, offset,
> +					(void *)block + sizeof(*block),
> +					block->size);
> +
> +		/* next block */
> +		block = (void *)block + sizeof(*block) + block->size;

This may lead to an unaligned access.
Also how is the endianess guaranteed?


thanks,

Takashi