Alsa-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [alsa-devel] [PATCH] ASoC: SOF: topology: Fix bytes control size checks
@ 2019-11-06 14:58 Pierre-Louis Bossart
  2019-11-06 16:21 ` [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree Mark Brown
  2019-11-07 13:13 ` Mark Brown
  0 siblings, 2 replies; 7+ messages in thread
From: Pierre-Louis Bossart @ 2019-11-06 14:58 UTC (permalink / raw)
  To: alsa-devel
  Cc: Dragos Tarcatu, Jaska Uimonen, tiwai, Pierre-Louis Bossart,
	Ranjani Sridharan, broonie

From: Dragos Tarcatu <dragos_tarcatu@mentor.com>

When using the example SOF amp widget topology, KASAN dumps this
when the AMP bytes kcontrol gets loaded:

[ 9.579548] BUG: KASAN: slab-out-of-bounds in
sof_control_load+0x8cc/0xac0 [snd_sof]
[ 9.588194] Write of size 40 at addr ffff8882314559dc by task
systemd-udevd/2411

Fix that by rejecting the topology if the bytes data size > max_size

Fixes: 311ce4fe7637d ("ASoC: SOF: Add support for loading topologies")
Reviewed-by: Jaska Uimonen <jaska.uimonen@intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
---
 sound/soc/sof/topology.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 17fe6a1d5f3e..6096731e89ce 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -1048,15 +1048,16 @@ static int sof_control_load_bytes(struct snd_soc_component *scomp,
 	struct soc_bytes_ext *sbe = (struct soc_bytes_ext *)kc->private_value;
 	int max_size = sbe->max;
 
-	if (le32_to_cpu(control->priv.size) > max_size) {
+	/* init the get/put bytes data */
+	scontrol->size = sizeof(struct sof_ipc_ctrl_data) +
+		le32_to_cpu(control->priv.size);
+
+	if (scontrol->size > max_size) {
 		dev_err(sdev->dev, "err: bytes data size %d exceeds max %d.\n",
-			control->priv.size, max_size);
+			scontrol->size, max_size);
 		return -EINVAL;
 	}
 
-	/* init the get/put bytes data */
-	scontrol->size = sizeof(struct sof_ipc_ctrl_data) +
-		le32_to_cpu(control->priv.size);
 	scontrol->control_data = kzalloc(max_size, GFP_KERNEL);
 	cdata = scontrol->control_data;
 	if (!scontrol->control_data)
-- 
2.20.1

_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree
  2019-11-06 14:58 [alsa-devel] [PATCH] ASoC: SOF: topology: Fix bytes control size checks Pierre-Louis Bossart
@ 2019-11-06 16:21 ` Mark Brown
  2019-11-06 16:29   ` Mark Brown
  2019-11-07 13:13 ` Mark Brown
  1 sibling, 1 reply; 7+ messages in thread
From: Mark Brown @ 2019-11-06 16:21 UTC (permalink / raw)
  To: Dragos Tarcatu
  Cc: alsa-devel, Jaska Uimonen, tiwai, Pierre-Louis Bossart,
	Ranjani Sridharan, Mark Brown

The patch

   ASoC: SOF: topology: Fix bytes control size checks

has been applied to the asoc tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.4

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

From 9508ef5a980f5d847cad9b932b6ada8f2a3466c1 Mon Sep 17 00:00:00 2001
From: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Date: Wed, 6 Nov 2019 08:58:16 -0600
Subject: [PATCH] ASoC: SOF: topology: Fix bytes control size checks

When using the example SOF amp widget topology, KASAN dumps this
when the AMP bytes kcontrol gets loaded:

[ 9.579548] BUG: KASAN: slab-out-of-bounds in
sof_control_load+0x8cc/0xac0 [snd_sof]
[ 9.588194] Write of size 40 at addr ffff8882314559dc by task
systemd-udevd/2411

Fix that by rejecting the topology if the bytes data size > max_size

Fixes: 311ce4fe7637d ("ASoC: SOF: Add support for loading topologies")
Reviewed-by: Jaska Uimonen <jaska.uimonen@intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20191106145816.9367-1-pierre-louis.bossart@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/sof/topology.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index 0aabb3190ddc..4452594c2e17 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -543,15 +543,16 @@ static int sof_control_load_bytes(struct snd_soc_component *scomp,
 	struct soc_bytes_ext *sbe = (struct soc_bytes_ext *)kc->private_value;
 	int max_size = sbe->max;
 
-	if (le32_to_cpu(control->priv.size) > max_size) {
+	/* init the get/put bytes data */
+	scontrol->size = sizeof(struct sof_ipc_ctrl_data) +
+		le32_to_cpu(control->priv.size);
+
+	if (scontrol->size > max_size) {
 		dev_err(sdev->dev, "err: bytes data size %d exceeds max %d.\n",
-			control->priv.size, max_size);
+			scontrol->size, max_size);
 		return -EINVAL;
 	}
 
-	/* init the get/put bytes data */
-	scontrol->size = sizeof(struct sof_ipc_ctrl_data) +
-		le32_to_cpu(control->priv.size);
 	scontrol->control_data = kzalloc(max_size, GFP_KERNEL);
 	cdata = scontrol->control_data;
 	if (!scontrol->control_data)
-- 
2.20.1

_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree
  2019-11-06 16:21 ` [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree Mark Brown
@ 2019-11-06 16:29   ` Mark Brown
  2019-11-06 16:49     ` Pierre-Louis Bossart
  0 siblings, 1 reply; 7+ messages in thread
From: Mark Brown @ 2019-11-06 16:29 UTC (permalink / raw)
  To: Dragos Tarcatu
  Cc: tiwai, alsa-devel, Jaska Uimonen, Pierre-Louis Bossart,
	Ranjani Sridharan

[-- Attachment #1.1: Type: text/plain, Size: 463 bytes --]

On Wed, Nov 06, 2019 at 04:21:46PM +0000, Mark Brown wrote:
> The patch
> 
>    ASoC: SOF: topology: Fix bytes control size checks
> 
> has been applied to the asoc tree at
> 
>    https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.4

It's not immediately obvious if something similar is needed for -next,
the relevant code has been redone since v5.4 was branched off.  If
something is needed someone will have to send something.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 161 bytes --]

_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree
  2019-11-06 16:29   ` Mark Brown
@ 2019-11-06 16:49     ` Pierre-Louis Bossart
  2019-11-06 16:54       ` Mark Brown
  0 siblings, 1 reply; 7+ messages in thread
From: Pierre-Louis Bossart @ 2019-11-06 16:49 UTC (permalink / raw)
  To: Mark Brown, Dragos Tarcatu
  Cc: tiwai, alsa-devel, Jaska Uimonen, Ranjani Sridharan



On 11/6/19 10:29 AM, Mark Brown wrote:
> On Wed, Nov 06, 2019 at 04:21:46PM +0000, Mark Brown wrote:
>> The patch
>>
>>     ASoC: SOF: topology: Fix bytes control size checks
>>
>> has been applied to the asoc tree at
>>
>>     https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.4
> 
> It's not immediately obvious if something similar is needed for -next,
> the relevant code has been redone since v5.4 was branched off.  If
> something is needed someone will have to send something.

I checked that the patch applies even before Jaska's October rework, 
where the same bug was present. so in theory picking this fix for 
5.2..5.4 would work as usual.
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree
  2019-11-06 16:49     ` Pierre-Louis Bossart
@ 2019-11-06 16:54       ` Mark Brown
  2019-11-06 18:15         ` Pierre-Louis Bossart
  0 siblings, 1 reply; 7+ messages in thread
From: Mark Brown @ 2019-11-06 16:54 UTC (permalink / raw)
  To: Pierre-Louis Bossart
  Cc: Dragos Tarcatu, tiwai, alsa-devel, Jaska Uimonen, Ranjani Sridharan

[-- Attachment #1.1: Type: text/plain, Size: 706 bytes --]

On Wed, Nov 06, 2019 at 10:49:20AM -0600, Pierre-Louis Bossart wrote:
> On 11/6/19 10:29 AM, Mark Brown wrote:
> > On Wed, Nov 06, 2019 at 04:21:46PM +0000, Mark Brown wrote:

> > It's not immediately obvious if something similar is needed for -next,
> > the relevant code has been redone since v5.4 was branched off.  If
> > something is needed someone will have to send something.

> I checked that the patch applies even before Jaska's October rework, where
> the same bug was present. so in theory picking this fix for 5.2..5.4 would
> work as usual.

What I'm saying is that I did that and if the fix is still needed after
the rework someone will need to send a version that applies after the
rework.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 161 bytes --]

_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree
  2019-11-06 16:54       ` Mark Brown
@ 2019-11-06 18:15         ` Pierre-Louis Bossart
  0 siblings, 0 replies; 7+ messages in thread
From: Pierre-Louis Bossart @ 2019-11-06 18:15 UTC (permalink / raw)
  To: Mark Brown
  Cc: Dragos Tarcatu, tiwai, alsa-devel, Jaska Uimonen, Ranjani Sridharan



On 11/6/19 10:54 AM, Mark Brown wrote:
> On Wed, Nov 06, 2019 at 10:49:20AM -0600, Pierre-Louis Bossart wrote:
>> On 11/6/19 10:29 AM, Mark Brown wrote:
>>> On Wed, Nov 06, 2019 at 04:21:46PM +0000, Mark Brown wrote:
> 
>>> It's not immediately obvious if something similar is needed for -next,
>>> the relevant code has been redone since v5.4 was branched off.  If
>>> something is needed someone will have to send something.
> 
>> I checked that the patch applies even before Jaska's October rework, where
>> the same bug was present. so in theory picking this fix for 5.2..5.4 would
>> work as usual.
> 
> What I'm saying is that I did that and if the fix is still needed after
> the rework someone will need to send a version that applies after the
> rework.

Sorry, the same patch will apply before and after the rework, so you can 
apply it to for-next as well. You don't need a new version.
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree
  2019-11-06 14:58 [alsa-devel] [PATCH] ASoC: SOF: topology: Fix bytes control size checks Pierre-Louis Bossart
  2019-11-06 16:21 ` [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree Mark Brown
@ 2019-11-07 13:13 ` Mark Brown
  1 sibling, 0 replies; 7+ messages in thread
From: Mark Brown @ 2019-11-07 13:13 UTC (permalink / raw)
  To: Dragos Tarcatu
  Cc: alsa-devel, Jaska Uimonen, tiwai, Pierre-Louis Bossart,
	Ranjani Sridharan, Mark Brown

The patch

   ASoC: SOF: topology: Fix bytes control size checks

has been applied to the asoc tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git 

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

From 2acdcabb8a4089476208a822050dd47a6557290d Mon Sep 17 00:00:00 2001
From: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Date: Wed, 6 Nov 2019 08:58:16 -0600
Subject: [PATCH] ASoC: SOF: topology: Fix bytes control size checks

When using the example SOF amp widget topology, KASAN dumps this
when the AMP bytes kcontrol gets loaded:

[ 9.579548] BUG: KASAN: slab-out-of-bounds in
sof_control_load+0x8cc/0xac0 [snd_sof]
[ 9.588194] Write of size 40 at addr ffff8882314559dc by task
systemd-udevd/2411

Fix that by rejecting the topology if the bytes data size > max_size

Fixes: 311ce4fe7637d ("ASoC: SOF: Add support for loading topologies")
Reviewed-by: Jaska Uimonen <jaska.uimonen@intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20191106145816.9367-1-pierre-louis.bossart@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/sof/topology.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
index e7076692119b..143b8259a70a 100644
--- a/sound/soc/sof/topology.c
+++ b/sound/soc/sof/topology.c
@@ -1043,15 +1043,16 @@ static int sof_control_load_bytes(struct snd_soc_component *scomp,
 	struct soc_bytes_ext *sbe = (struct soc_bytes_ext *)kc->private_value;
 	int max_size = sbe->max;
 
-	if (le32_to_cpu(control->priv.size) > max_size) {
+	/* init the get/put bytes data */
+	scontrol->size = sizeof(struct sof_ipc_ctrl_data) +
+		le32_to_cpu(control->priv.size);
+
+	if (scontrol->size > max_size) {
 		dev_err(sdev->dev, "err: bytes data size %d exceeds max %d.\n",
-			control->priv.size, max_size);
+			scontrol->size, max_size);
 		return -EINVAL;
 	}
 
-	/* init the get/put bytes data */
-	scontrol->size = sizeof(struct sof_ipc_ctrl_data) +
-		le32_to_cpu(control->priv.size);
 	scontrol->control_data = kzalloc(max_size, GFP_KERNEL);
 	cdata = scontrol->control_data;
 	if (!scontrol->control_data)
-- 
2.20.1

_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-06 14:58 [alsa-devel] [PATCH] ASoC: SOF: topology: Fix bytes control size checks Pierre-Louis Bossart
2019-11-06 16:21 ` [alsa-devel] Applied "ASoC: SOF: topology: Fix bytes control size checks" to the asoc tree Mark Brown
2019-11-06 16:29   ` Mark Brown
2019-11-06 16:49     ` Pierre-Louis Bossart
2019-11-06 16:54       ` Mark Brown
2019-11-06 18:15         ` Pierre-Louis Bossart
2019-11-07 13:13 ` Mark Brown

Alsa-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/alsa-devel/0 alsa-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 alsa-devel alsa-devel/ https://lore.kernel.org/alsa-devel \
		alsa-devel@alsa-project.org
	public-inbox-index alsa-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.alsa-project.alsa-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git