alsa-devel.alsa-project.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ALSA: mixart: Reduce size of mixart_timer_notify
@ 2021-12-07  6:29 Kees Cook
  2021-12-07  8:00 ` Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: Kees Cook @ 2021-12-07  6:29 UTC (permalink / raw)
  To: Jaroslav Kysela
  Cc: linux-kernel, alsa-devel, linux-hardening, Kees Cook, Takashi Iwai

The mixart_timer_notify structure was larger than could be represented
by the mixart_msg_data array storage. Adjust the size to as large as
possible to fix the warning seen with -Warray-bounds builds:

sound/pci/mixart/mixart_core.c: In function 'snd_mixart_threaded_irq':
sound/pci/mixart/mixart_core.c:447:50: error: array subscript 'struct mixart_timer_notify[0]' is partly outside array bounds of 'u32[128]' {aka 'unsigned int[128]'} [-Werror=array-bounds]
  447 |                                 for(i=0; i<notify->stream_count; i++) {
      |                                                  ^~
sound/pci/mixart/mixart_core.c:328:12: note: while referencing 'mixart_msg_data'
  328 | static u32 mixart_msg_data[MSG_DEFAULT_SIZE / 4];
      |            ^~~~~~~~~~~~~~~

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 sound/pci/mixart/mixart_core.c |  3 +--
 sound/pci/mixart/mixart_core.h | 10 +++++++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/sound/pci/mixart/mixart_core.c b/sound/pci/mixart/mixart_core.c
index fb8895af0363..853083dd4bad 100644
--- a/sound/pci/mixart/mixart_core.c
+++ b/sound/pci/mixart/mixart_core.c
@@ -23,8 +23,6 @@
 #define MSG_DESCRIPTOR_SIZE         0x24
 #define MSG_HEADER_SIZE             (MSG_DESCRIPTOR_SIZE + 4)
 
-#define MSG_DEFAULT_SIZE            512
-
 #define MSG_TYPE_MASK               0x00000003    /* mask for following types */
 #define MSG_TYPE_NOTIFY             0             /* embedded -> driver (only notification, do not get_msg() !) */
 #define MSG_TYPE_COMMAND            1             /* driver <-> embedded (a command has no answer) */
@@ -444,6 +442,7 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id)
 				struct mixart_timer_notify *notify;
 				notify = (struct mixart_timer_notify *)mixart_msg_data;
 
+				BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data));
 				for(i=0; i<notify->stream_count; i++) {
 
 					u32 buffer_id = notify->streams[i].buffer_id;
diff --git a/sound/pci/mixart/mixart_core.h b/sound/pci/mixart/mixart_core.h
index fbf4731a276d..2f0e29ed5d63 100644
--- a/sound/pci/mixart/mixart_core.h
+++ b/sound/pci/mixart/mixart_core.h
@@ -49,6 +49,7 @@ enum mixart_message_id {
 	MSG_CLOCK_SET_PROPERTIES             = 0x200002,
 };
 
+#define MSG_DEFAULT_SIZE            512
 
 struct mixart_msg
 {
@@ -251,10 +252,17 @@ struct mixart_sample_pos
 	u32   sample_pos_low_part;
 } __attribute__((packed));
 
+/*
+ * This structure is limited by the size of MSG_DEFAULT_SIZE. Instead of
+ * having MIXART_MAX_STREAM_PER_CARD * MIXART_MAX_CARDS many streams,
+ * this is capped to have a total size below MSG_DEFAULT_SIZE.
+ */
+#define MIXART_MAX_TIMER_NOTIFY_STREAMS				\
+	((MSG_DEFAULT_SIZE - sizeof(u32)) / sizeof(struct mixart_sample_pos))
 struct mixart_timer_notify
 {
 	u32                  stream_count;
-	struct mixart_sample_pos  streams[MIXART_MAX_STREAM_PER_CARD * MIXART_MAX_CARDS];
+	struct mixart_sample_pos  streams[MIXART_MAX_TIMER_NOTIFY_STREAMS];
 } __attribute__((packed));
 
 
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] ALSA: mixart: Reduce size of mixart_timer_notify
  2021-12-07  6:29 [PATCH] ALSA: mixart: Reduce size of mixart_timer_notify Kees Cook
@ 2021-12-07  8:00 ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2021-12-07  8:00 UTC (permalink / raw)
  To: Kees Cook; +Cc: linux-kernel, alsa-devel, linux-hardening, Takashi Iwai

On Tue, 07 Dec 2021 07:29:41 +0100,
Kees Cook wrote:
> 
> The mixart_timer_notify structure was larger than could be represented
> by the mixart_msg_data array storage. Adjust the size to as large as
> possible to fix the warning seen with -Warray-bounds builds:
> 
> sound/pci/mixart/mixart_core.c: In function 'snd_mixart_threaded_irq':
> sound/pci/mixart/mixart_core.c:447:50: error: array subscript 'struct mixart_timer_notify[0]' is partly outside array bounds of 'u32[128]' {aka 'unsigned int[128]'} [-Werror=array-bounds]
>   447 |                                 for(i=0; i<notify->stream_count; i++) {
>       |                                                  ^~
> sound/pci/mixart/mixart_core.c:328:12: note: while referencing 'mixart_msg_data'
>   328 | static u32 mixart_msg_data[MSG_DEFAULT_SIZE / 4];
>       |            ^~~~~~~~~~~~~~~
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>

Thanks, applied now.

> @@ -444,6 +442,7 @@ irqreturn_t snd_mixart_threaded_irq(int irq, void *dev_id)
>  				struct mixart_timer_notify *notify;
>  				notify = (struct mixart_timer_notify *)mixart_msg_data;
>  
> +				BUILD_BUG_ON(sizeof(notify) > sizeof(mixart_msg_data));
>  				for(i=0; i<notify->stream_count; i++) {
>  
>  					u32 buffer_id = notify->streams[i].buffer_id;

I guess we should add the array boundary check of
notify->stream_count, instead of fully relying on the hardware reply,
too.  Will submit the additional check.


Takashi

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-12-07  8:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-07  6:29 [PATCH] ALSA: mixart: Reduce size of mixart_timer_notify Kees Cook
2021-12-07  8:00 ` Takashi Iwai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).