[alsa-devel] [PATCH] ASoC: Intel: skl_hda_dsp_common: Fix global-out-of-bounds bug
Kai Vehmanen
kai.vehmanen at linux.intel.com
Thu Jan 23 09:31:23 CET 2020
Hi,
On Wed, 22 Jan 2020, Pierre-Louis Bossart wrote:
> On 1/22/20 12:12 PM, Cezary Rojewski wrote:
> > Definitions for idisp snd_soc_dai_links within skl_hda_dsp_common are
> > missing platform component. Add it to address following bug reported by
> > KASAN:
[...]
> > [ 10.538502] BUG: KASAN: global-out-of-bounds in
> > skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp]
> > [ 10.538509] Write of size 8 at addr ffffffffc0606840 by task
> > systemd-udevd/299
> > (...)
>
> You could probably skip the call trace, it doesn't really provide much
> information.
>
> Kai and Ranjani, do you think this impacts SOF as well? Or does our BE
> override somehow suppresses the problem?
yes, this is a good catch Cezary! We actually initialize the platform
correctly in other machine drivers, so this is a specific bug in the
generic HDA mach driver.
What happens is that 'platforms' is initialized to an empty array:
static struct snd_soc_dai_link_component idisp1_cpus[] = { { .dai_name = "iDisp1 Pin", } };
static struct snd_soc_dai_link_component idisp1_codecs[] = { { .name = "ehdaudio0D2", .dai_name = "intel-hdmi-hifi1", } };
static struct snd_soc_dai_link_component idisp1_platforms[] = { }
... but then before card registration, mach driver code assumes there is
at least one platform in the array:
» for_each_card_prelinks(card, i, dai_link)
» » dai_link->platforms->name = mach_params->platform;
... and this results in out-of-bound write.
Cezary's patch is aligned with other machine drivers and typical ASOC
macro usage so:
Reviewed-by: Kai Vehmanen <kai.vehmanen at linux.intel.com>
I'll check if other machine drivers are impacted as well.
Br, Kai
More information about the Alsa-devel
mailing list