[02/15] ASoC: Intel: avs: Fix potential RX buffer overflow

Message ID	20221010120749.716499-3-cezary.rojewski@intel.com
State	Superseded
Headers	show Return-Path: <alsa-devel-bounces@alsa-project.org> From: Cezary Rojewski <cezary.rojewski@intel.com> To: alsa-devel@alsa-project.org, broonie@kernel.org Subject: [PATCH 02/15] ASoC: Intel: avs: Fix potential RX buffer overflow Date: Mon, 10 Oct 2022 14:07:36 +0200 Message-Id: <20221010120749.716499-3-cezary.rojewski@intel.com> In-Reply-To: <20221010120749.716499-1-cezary.rojewski@intel.com> References: <20221010120749.716499-1-cezary.rojewski@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Cc: Cezary Rojewski <cezary.rojewski@intel.com>, CoolStar <coolstarorganization@gmail.com>, pierre-louis.bossart@linux.intel.com, tiwai@suse.com, hdegoede@redhat.com, amadeuszx.slawinski@linux.intel.com Precedence: list Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>
Series	ASoC: Intel: avs: Fixes and new boards support \| expand [00/15] ASoC: Intel: avs: Fixes and new boards support [01/15] ASoC: Intel: avs: Fix DMA mask assignment [02/15] ASoC: Intel: avs: Fix potential RX buffer overflow [03/15] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform [04/15] ASoC: Intel: avs: Add quirk for KBL-R RVP platform [05/15] ASoC: Intel: avs: Support AML with rt286 configuration [06/15] ASoC: Intel: avs: Support da7219 on both KBL and APL [07/15] ASoC: Intel: avs: Add missing SKL-based device IDs [08/15] ASoC: Intel: avs: Simplify d0ix disabling routine [09/15] ASoC: Intel: avs: Add missing include to HDA board [10/15] ASoC: Intel: avs: Do not reuse msg between different IPC handlers [11/15] ASoC: Intel: avs: Do not treat unsupported IPCs as invalid [12/15] ASoC: Intel: avs: Do not print IPC error message twice [13/15] ASoC: Intel: avs: Simplify ignore_fw_version description [14/15] ASoC: Intel: avs: Simplify log control for SKL [15/15] ASoC: codecs: hda: Fix spelling error in log message

Message ID

20221010120749.716499-3-cezary.rojewski@intel.com

State

Superseded

Headers

From: Cezary Rojewski <cezary.rojewski@intel.com>
To: alsa-devel@alsa-project.org,
	broonie@kernel.org
Subject: [PATCH 02/15] ASoC: Intel: avs: Fix potential RX buffer overflow
Date: Mon, 10 Oct 2022 14:07:36 +0200
Message-Id: <20221010120749.716499-3-cezary.rojewski@intel.com>
In-Reply-To: <20221010120749.716499-1-cezary.rojewski@intel.com>
References: <20221010120749.716499-1-cezary.rojewski@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Cc: Cezary Rojewski <cezary.rojewski@intel.com>,
 CoolStar <coolstarorganization@gmail.com>,
 pierre-louis.bossart@linux.intel.com, tiwai@suse.com, hdegoede@redhat.com,
 amadeuszx.slawinski@linux.intel.com
Precedence: list
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>

Series

ASoC: Intel: avs: Fixes and new boards support | expand

Commit Message

Cezary Rojewski Oct. 10, 2022, 12:07 p.m. UTC

If an event caused firmware to return invalid RX size for
LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes.
Fix by utilizing min_t().

Reported-by: CoolStar <coolstarorganization@gmail.com>
Fixes: f14a1c5a9f83 ("ASoC: Intel: avs: Add module management requests")
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
---
 sound/soc/intel/avs/ipc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c
index 020d85c7520d..77da206f7dbb 100644
--- a/sound/soc/intel/avs/ipc.c
+++ b/sound/soc/intel/avs/ipc.c
@@ -192,7 +192,8 @@  static void avs_dsp_receive_rx(struct avs_dev *adev, u64 header)
 		/* update size in case of LARGE_CONFIG_GET */
 		if (msg.msg_target == AVS_MOD_MSG &&
 		    msg.global_msg_type == AVS_MOD_LARGE_CONFIG_GET)
-			ipc->rx.size = msg.ext.large_config.data_off_size;
+			ipc->rx.size = min_t(u32, AVS_MAILBOX_SIZE,
+					     msg.ext.large_config.data_off_size);
 
 		memcpy_fromio(ipc->rx.data, avs_uplink_addr(adev), ipc->rx.size);
 		trace_avs_msg_payload(ipc->rx.data, ipc->rx.size);

[02/15] ASoC: Intel: avs: Fix potential RX buffer overflow

Commit Message

Patch