From: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
To: alsa-devel@alsa-project.org
Subject: [alsa-devel] [PATCH 1/2] ASoC: topology: protect against accessing beyond loaded topology data
Date: Mon, 7 Oct 2019 10:41:32 +0200 [thread overview]
Message-ID: <20191007084133.7674-2-guennadi.liakhovetski@linux.intel.com> (raw)
In-Reply-To: <20191007084133.7674-1-guennadi.liakhovetski@linux.intel.com>
Add checks for sufficient topology data length before accessing data
according to its internal structure. Without these checks malformed
or corrupted topology images can lead to accessing invalid addresses
in the kernel.
Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
---
sound/soc/soc-topology.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index 0fd0329..d1d3c6f 100644
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -2501,9 +2501,18 @@ static int soc_tplg_manifest_load(struct soc_tplg *tplg,
static int soc_valid_header(struct soc_tplg *tplg,
struct snd_soc_tplg_hdr *hdr)
{
+ size_t remainder = tplg->fw->size - soc_tplg_get_hdr_offset(tplg);
+
if (soc_tplg_get_hdr_offset(tplg) >= tplg->fw->size)
return 0;
+ /* Check that we have enough data before accessing the header */
+ if (remainder < sizeof(*hdr)) {
+ dev_err(tplg->dev, "ASoC: insufficient %zd bytes.\n",
+ remainder);
+ return -EINVAL;
+ }
+
if (le32_to_cpu(hdr->size) != sizeof(*hdr)) {
dev_err(tplg->dev,
"ASoC: invalid header size for type %d at offset 0x%lx size 0x%zx.\n",
@@ -2546,6 +2555,14 @@ static int soc_valid_header(struct soc_tplg *tplg,
return -EINVAL;
}
+ if (le32_to_cpu(hdr->payload_size) + sizeof(*hdr) > remainder) {
+ dev_err(tplg->dev,
+ "ASoC: payload size %zu too large at offset 0x%lx.\n",
+ le32_to_cpu(hdr->payload_size),
+ soc_tplg_get_hdr_offset(tplg));
+ return -EINVAL;
+ }
+
if (tplg->pass == le32_to_cpu(hdr->type))
dev_dbg(tplg->dev,
"ASoC: Got 0x%x bytes of type %d version %d vendor %d at pass %d\n",
--
1.9.3
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
next prev parent reply other threads:[~2019-10-07 8:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-07 8:41 [alsa-devel] [PATCH 0/2] [RFC] ASoC: topology: fix access beyond data Guennadi Liakhovetski
2019-10-07 8:41 ` Guennadi Liakhovetski [this message]
2019-10-07 14:17 ` [alsa-devel] [PATCH 1/2] ASoC: topology: protect against accessing beyond loaded topology data Pierre-Louis Bossart
2019-10-07 14:42 ` Guennadi Liakhovetski
2019-10-07 8:41 ` [alsa-devel] [PATCH 2/2] ASoC: topology: don't access beyond " Guennadi Liakhovetski
2019-10-07 9:13 ` [alsa-devel] [PATCH 0/2] [RFC] ASoC: topology: fix access beyond data Guennadi Liakhovetski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191007084133.7674-2-guennadi.liakhovetski@linux.intel.com \
--to=guennadi.liakhovetski@linux.intel.com \
--cc=alsa-devel@alsa-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.