Re: out-of-bounds access in sound/soc/sof/topology.c

From: Sergey Senozhatsky
Date: Wed Apr 27 2022 - 02:56:19 EST

Next message: Thomas Gleixner: "Re: [patch v12 05/13] task isolation: sync vmstats on return to userspace"
Previous message: Willy Tarreau: "[PATCH net 6/7] tcp: increase source port perturb table to 2^16"
Next in thread: Péter Ujfalusi: "Re: out-of-bounds access in sound/soc/sof/topology.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On (22/04/19 08:07), Pierre-Louis Bossart wrote:
> > Your analyzes are spot on, unfortunately. But...
> >
> > As of today, the sof_get_control_data() is in the call path of
> > (ipc3-topology.c):
> >
> > sof_widget_update_ipc_comp_process() -> sof_process_load() ->
> > sof_get_control_data()
> >
> > sof_widget_update_ipc_comp_process() is the ipc_setup callback for
> > snd_soc_dapm_effect. If I'm not mistaken these only carries bin payload
> > and never MIXER/ENUM/SWITCH/VOLUME.
> > This means that the sof_get_control_data() is only called with
> > SND_SOC_TPLG_TYPE_BYTES and for that the allocated data area is correct.
> >
> > This can explain why we have not seen any issues so far. This does not
> > renders the code right, as how it is written atm is wrong.
>
>
> Sergey's results with KASAN show that there's a real-life problem though. I also don't understand how that might happen.
>
> Could it be that these results are with a specific topology where our assumptions are incorrect?

Is there anything I can do to help?

Next message: Thomas Gleixner: "Re: [patch v12 05/13] task isolation: sync vmstats on return to userspace"
Previous message: Willy Tarreau: "[PATCH net 6/7] tcp: increase source port perturb table to 2^16"
Next in thread: Péter Ujfalusi: "Re: out-of-bounds access in sound/soc/sof/topology.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]