[PATCH v2 0/3] ASoC: sdm845: array out of bound issues
During testing John Stultz and Amit reported few array our bound issues after enabling bound sanitizer
This patch series attempts to fix those!
changes since v1: - make sure the wcd is not de-referenced without intialization
Srinivas Kandagatla (3): ASoC: qcom: sdm845: Fix array out of bounds access ASoC: qcom: sdm845: Fix array out of range on rx slim channels ASoC: codecs: wcd934x: add a sanity check in set channel map
sound/soc/codecs/wcd934x.c | 6 ++++++ sound/soc/qcom/sdm845.c | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-)
Static analysis Coverity had detected a potential array out-of-bounds write issue due to the fact that MAX AFE port Id was set to 16 instead of using AFE_PORT_MAX macro.
Fix this by properly using AFE_PORT_MAX macro.
Fixes: 1b93a8843147 ("ASoC: qcom: sdm845: handle soundwire stream") Reported-by: John Stultz john.stultz@linaro.org Signed-off-by: Srinivas Kandagatla srinivas.kandagatla@linaro.org --- sound/soc/qcom/sdm845.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/qcom/sdm845.c b/sound/soc/qcom/sdm845.c index 6c2760e27ea6..1e2c2d0902ea 100644 --- a/sound/soc/qcom/sdm845.c +++ b/sound/soc/qcom/sdm845.c @@ -33,12 +33,12 @@ struct sdm845_snd_data { struct snd_soc_jack jack; bool jack_setup; - bool stream_prepared[SLIM_MAX_RX_PORTS]; + bool stream_prepared[AFE_PORT_MAX]; struct snd_soc_card *card; uint32_t pri_mi2s_clk_count; uint32_t sec_mi2s_clk_count; uint32_t quat_tdm_clk_count; - struct sdw_stream_runtime *sruntime[SLIM_MAX_RX_PORTS]; + struct sdw_stream_runtime *sruntime[AFE_PORT_MAX]; };
static unsigned int tdm_slot_offset[8] = {0, 4, 8, 12, 16, 20, 24, 28};
WCD934x has only 13 RX SLIM ports however we are setting it as 16 in set_channel_map, this will lead to array out of bounds error!
Orignally caught by enabling USBAN array out of bounds check:
Fixes: 5caf64c633a3 ("ASoC: qcom: sdm845: add support to DB845c and Lenovo Yoga") Reported-by: John Stultz john.stultz@linaro.org Signed-off-by: Srinivas Kandagatla srinivas.kandagatla@linaro.org --- sound/soc/qcom/sdm845.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/qcom/sdm845.c b/sound/soc/qcom/sdm845.c index 1e2c2d0902ea..153e9b2de0b5 100644 --- a/sound/soc/qcom/sdm845.c +++ b/sound/soc/qcom/sdm845.c @@ -27,7 +27,7 @@ #define SPK_TDM_RX_MASK 0x03 #define NUM_TDM_SLOTS 8 #define SLIM_MAX_TX_PORTS 16 -#define SLIM_MAX_RX_PORTS 16 +#define SLIM_MAX_RX_PORTS 13 #define WCD934X_DEFAULT_MCLK_RATE 9600000
struct sdm845_snd_data {
set channel map can be passed with a channel maps, however if the number of channels that are passed are more than the actual supported channels then we would be accessing array out of bounds.
So add a sanity check to validate these numbers!
Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Reported-by: John Stultz john.stultz@linaro.org Signed-off-by: Srinivas Kandagatla srinivas.kandagatla@linaro.org --- Changes since v1: - make sure the wcd is not de-referenced without intialization
sound/soc/codecs/wcd934x.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 40f682f5dab8..d18ae5e3ee80 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -1873,6 +1873,12 @@ static int wcd934x_set_channel_map(struct snd_soc_dai *dai,
wcd = snd_soc_component_get_drvdata(dai->component);
+ if (tx_num > WCD934X_TX_MAX || rx_num > WCD934X_RX_MAX) { + dev_err(wcd->dev, "Invalid tx %d or rx %d channel count\n", + tx_num, rx_num); + return -EINVAL; + } + if (!tx_slot || !rx_slot) { dev_err(wcd->dev, "Invalid tx_slot=%p, rx_slot=%p\n", tx_slot, rx_slot);
On Tue, 9 Mar 2021 14:21:26 +0000, Srinivas Kandagatla wrote:
During testing John Stultz and Amit reported few array our bound issues after enabling bound sanitizer
This patch series attempts to fix those!
changes since v1:
- make sure the wcd is not de-referenced without intialization
[...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
Thanks!
[1/3] ASoC: qcom: sdm845: Fix array out of bounds access commit: a5fd5e475655d3830f376e29ca6a7222dc7074cf [2/3] ASoC: qcom: sdm845: Fix array out of range on rx slim channels commit: 3ed85d1e1aa53db6fa4398846fbd213a7d87ceac [3/3] ASoC: codecs: wcd934x: add a sanity check in set channel map commit: 480c25e7003d0222f64824d4c7afcd274bc66ebd
All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying to this mail.
Thanks, Mark
On Tue, Mar 9, 2021 at 6:21 AM Srinivas Kandagatla srinivas.kandagatla@linaro.org wrote:
During testing John Stultz and Amit reported few array our bound issues after enabling bound sanitizer
This patch series attempts to fix those!
changes since v1: - make sure the wcd is not de-referenced without intialization
Srinivas Kandagatla (3): ASoC: qcom: sdm845: Fix array out of bounds access ASoC: qcom: sdm845: Fix array out of range on rx slim channels ASoC: codecs: wcd934x: add a sanity check in set channel map
For the whole series: Tested-by: John Stultz john.stultz@linaro.org
Thanks so much for fixing these up so fast! -john
participants (3)
-
John Stultz
-
Mark Brown
-
Srinivas Kandagatla