[PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension") Signed-off-by: Gustavo A. R. Silva gustavoars@kernel.org --- sound/soc/sof/ipc4-topology.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c index f2a30cd31378..2a19dd022aaf 100644 --- a/sound/soc/sof/ipc4-topology.c +++ b/sound/soc/sof/ipc4-topology.c @@ -895,7 +895,8 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget) if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) { struct sof_ipc4_base_module_cfg_ext *base_cfg_ext; u32 ext_size = struct_size(base_cfg_ext, pin_formats, - swidget->num_input_pins + swidget->num_output_pins); + size_add(swidget->num_input_pins, + swidget->num_output_pins));
base_cfg_ext = kzalloc(ext_size, GFP_KERNEL); if (!base_cfg_ext) {
On Fri, Sep 15, 2023 at 01:09:11PM -0600, Gustavo A. R. Silva wrote:
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension") Signed-off-by: Gustavo A. R. Silva gustavoars@kernel.org
Reviewed-by: Kees Cook keescook@chromium.org
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
Applied to for-next/hardening, thanks!
[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() https://git.kernel.org/kees/c/93d2858dd630
Take care,
On Fri, Sep 29, 2023 at 12:14:59PM -0700, Kees Cook wrote:
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() https://git.kernel.org/kees/c/93d2858dd630
Why is this bypassing the ASoC tree?
On Sun, Oct 01, 2023 at 11:25:59AM +0100, Mark Brown wrote:
On Fri, Sep 29, 2023 at 12:14:59PM -0700, Kees Cook wrote:
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() https://git.kernel.org/kees/c/93d2858dd630
Why is this bypassing the ASoC tree?
Hi! Sorry, I can drop it if you want to take it? I tend to collect trivial hardening changes with reviews that haven't been otherwise commented on for at least 2 weeks.
-Kees
On Sun, Oct 01, 2023 at 01:37:04PM -0700, Kees Cook wrote:
On Sun, Oct 01, 2023 at 11:25:59AM +0100, Mark Brown wrote:
Why is this bypassing the ASoC tree?
Hi! Sorry, I can drop it if you want to take it? I tend to collect trivial hardening changes with reviews that haven't been otherwise commented on for at least 2 weeks.
Yes, it's in my queue - 2 weeks is really rather fast between people not being available and waiting for driver authors to review if they normally look at things.
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
Thanks!
[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() commit: 3746284c233d5cf5f456400e61cd4a46a69c6e8c
All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying to this mail.
Thanks, Mark
On Mon, Oct 02, 2023 at 04:17:24PM +0100, Mark Brown wrote:
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`.
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
Thanks!
[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() commit: 3746284c233d5cf5f456400e61cd4a46a69c6e8c
Thanks! I've dropped it from my tree.
-Kees
participants (3)
-
Gustavo A. R. Silva -
Kees Cook -
Mark Brown