* re: ASoC: qcom: sm8250: add sound card qrb5165-rb5 support
@ 2020-10-28 12:15 Colin Ian King
2020-10-28 14:20 ` Srinivas Kandagatla
0 siblings, 1 reply; 2+ messages in thread
From: Colin Ian King @ 2020-10-28 12:15 UTC (permalink / raw)
To: Srinivas Kandagatla
Cc: alsa-devel, Banajit Goswami, linux-kernel, Patrick Lai,
Takashi Iwai, Liam Girdwood, Mark Brown
Hi,
Static analysis on linux-next with Coverity had detected a potential
array out-of-bounds write issue in the following commit:
commit aa2e2785545aab21b6cb2e23f111ae0751cbcca7
Author: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Date: Mon Oct 26 17:09:47 2020 +0000
ASoC: qcom: sm8250: add sound card qrb5165-rb5 support
The analysis is as follows:
139 static int sm8250_snd_hw_free(struct snd_pcm_substream *substream)
140 {
141 struct snd_soc_pcm_runtime *rtd = substream->private_data;
142 struct sm8250_snd_data *data =
snd_soc_card_get_drvdata(rtd->card);
143 struct snd_soc_dai *cpu_dai = asoc_rtd_to_cpu(rtd, 0);
144 struct sdw_stream_runtime *sruntime =
data->sruntime[cpu_dai->id];
145
1. Switch case value 105.
146 switch (cpu_dai->id) {
2. equality_cond: Jumping to case 105.
147 case WSA_CODEC_DMA_RX_0:
148 case WSA_CODEC_DMA_RX_1:
Out-of-bounds write (OVERRUN)
3. Condition sruntime, taking true branch.
4. Condition data->stream_prepared[cpu_dai->id], taking true branch.
149 if (sruntime && data->stream_prepared[cpu_dai->id]) {
150 sdw_disable_stream(sruntime);
151 sdw_deprepare_stream(sruntime);
Out-of-bounds write (OVERRUN)
5. overrun-local: Overrunning array data->stream_prepared of 16 bytes
at byte offset 105 using index cpu_dai->id (which evaluates to 105).
152 data->stream_prepared[cpu_dai->id] = false;
153 }
154 break;
155 default:
156 break;
157 }
158
159 return 0;
160 }
So cpu_dia->id is 105 in this case statement, and yet
data->steam_prepared is an array of 16 elements, so this looks suspect.
Colin
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ASoC: qcom: sm8250: add sound card qrb5165-rb5 support
2020-10-28 12:15 ASoC: qcom: sm8250: add sound card qrb5165-rb5 support Colin Ian King
@ 2020-10-28 14:20 ` Srinivas Kandagatla
0 siblings, 0 replies; 2+ messages in thread
From: Srinivas Kandagatla @ 2020-10-28 14:20 UTC (permalink / raw)
To: Colin Ian King
Cc: alsa-devel, Banajit Goswami, linux-kernel, Patrick Lai,
Takashi Iwai, Liam Girdwood, Mark Brown
Thanks for reporting this,
On 28/10/2020 12:15, Colin Ian King wrote:
> Hi,
>
> Static analysis on linux-next with Coverity had detected a potential
> array out-of-bounds write issue in the following commit:
Sent out a fix to address this!
--srini
>
> commit aa2e2785545aab21b6cb2e23f111ae0751cbcca7
> Author: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
> Date: Mon Oct 26 17:09:47 2020 +0000
>
> ASoC: qcom: sm8250: add sound card qrb5165-rb5 support
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-10-28 14:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-28 12:15 ASoC: qcom: sm8250: add sound card qrb5165-rb5 support Colin Ian King
2020-10-28 14:20 ` Srinivas Kandagatla
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).