[bug report] ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages

Mon May 16 10:54:59 CEST 2022

Hello Peter Ujfalusi,

The patch 066c67624d8c: "ASoC: SOF: ipc-msg-injector: Add support for
IPC4 messages" from May 6, 2022, leads to the following Smatch static
checker warning:

	sound/soc/sof/sof-client-ipc-msg-injector.c:95 sof_msg_inject_ipc4_dfs_read()
	warn: userbuf overflow? is '8' <= 'count'

sound/soc/sof/sof-client-ipc-msg-injector.c
    72 static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file,
    73                                             char __user *buffer,
    74                                             size_t count, loff_t *ppos)
    75 {
    76         struct sof_client_dev *cdev = file->private_data;
    77         struct sof_msg_inject_priv *priv = cdev->data;
    78         struct sof_ipc4_msg *ipc4_msg = priv->rx_buffer;
    79         size_t remaining;
    80 
    81         if (!ipc4_msg->header_u64 || !count || *ppos)
    82                 return 0;
    83 
    84         remaining = sizeof(ipc4_msg->header_u64);
    85 
    86         /* Only get large config have payload */
    87         if (SOF_IPC4_MSG_IS_MODULE_MSG(ipc4_msg->primary) &&
    88             (SOF_IPC4_MSG_TYPE_GET(ipc4_msg->primary) == SOF_IPC4_MOD_LARGE_CONFIG_GET))
    89                 remaining += ipc4_msg->data_size;
    90 
    91         if (count > remaining)
    92                 count = remaining;
    93 
    94         /* copy the header first */
--> 95         if (copy_to_user(buffer, &ipc4_msg->header_u64, sizeof(ipc4_msg->header_u64)))
    96                 return -EFAULT;
    97 
    98         *ppos += sizeof(ipc4_msg->header_u64);
    99         remaining -= sizeof(ipc4_msg->header_u64);
    100 
    101         if (!remaining)
    102                 return count;
    103 
    104         if (remaining > ipc4_msg->data_size)
    105                 remaining = ipc4_msg->data_size;
    106 
    107         /* Copy the payload */
    108         if (copy_to_user(buffer + *ppos, ipc4_msg->data_ptr, remaining))
                                 ^^^^^^^^^^^^^^^
Potentially writing more than count bytes resulting in corrupting the
user space memory.

    109                 return -EFAULT;
    110 
    111         *ppos += remaining;
    112         return count;
    113 }

regards,
dan carpenter