[PATCH] ASoC: SOF: ipc-msg-injector: Cap the rmaining to count in IPC4 mode

Mon May 16 11:24:42 CEST 2022

If user space provides smaller buffer than the IPC4 reply then it is
possible that we corrupt user space memory since the IPC4 dfs_read function
is not using the count directly in copy_to_user() due to the nature of
an IPC4 message.

Cap the remaining counter to make sure that we are not writing too much to
the user space provided buffer.

Add a check also to make sure that the buffer is at least the size of the
IPC4 header.

Fixes: 066c67624d8c: "ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages"
Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi at linux.intel.com>
---
 sound/soc/sof/sof-client-ipc-msg-injector.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/sound/soc/sof/sof-client-ipc-msg-injector.c b/sound/soc/sof/sof-client-ipc-msg-injector.c
index c2480317730c..03490a4d4ae7 100644
--- a/sound/soc/sof/sof-client-ipc-msg-injector.c
+++ b/sound/soc/sof/sof-client-ipc-msg-injector.c
@@ -76,12 +76,17 @@ static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file,
 	struct sof_client_dev *cdev = file->private_data;
 	struct sof_msg_inject_priv *priv = cdev->data;
 	struct sof_ipc4_msg *ipc4_msg = priv->rx_buffer;
+	size_t header_size = sizeof(ipc4_msg->header_u64);
 	size_t remaining;
 
 	if (!ipc4_msg->header_u64 || !count || *ppos)
 		return 0;
 
-	remaining = sizeof(ipc4_msg->header_u64);
+	/* we need space for the header at minimum (u64) */
+	if (count < header_size)
+		return -ENOSPC;
+
+	remaining = header_size;
 
 	/* Only get large config have payload */
 	if (SOF_IPC4_MSG_IS_MODULE_MSG(ipc4_msg->primary) &&
@@ -90,13 +95,15 @@ static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file,
 
 	if (count > remaining)
 		count = remaining;
+	else if (count < remaining)
+		remaining = count;
 
 	/* copy the header first */
-	if (copy_to_user(buffer, &ipc4_msg->header_u64, sizeof(ipc4_msg->header_u64)))
+	if (copy_to_user(buffer, &ipc4_msg->header_u64, header_size))
 		return -EFAULT;
 
-	*ppos += sizeof(ipc4_msg->header_u64);
-	remaining -= sizeof(ipc4_msg->header_u64);
+	*ppos += header_size;
+	remaining -= header_size;
 
 	if (!remaining)
 		return count;
-- 
2.36.1

