ASoC: SOF: ipc3-control: Fix heap overflow in bytes_ext put/get#5769
Open
ujfalusi wants to merge 1 commit into
Open
ASoC: SOF: ipc3-control: Fix heap overflow in bytes_ext put/get#5769ujfalusi wants to merge 1 commit into
ujfalusi wants to merge 1 commit into
Conversation
The ipc_control_data buffer is allocated as kzalloc(max_size), where max_size covers the entire struct sof_ipc_ctrl_data including its flexible array payload. However, the bounds checks in bytes_ext_put and _bytes_ext_get compared user data lengths against max_size directly, ignoring that cdata->data sits at an offset of sizeof(struct sof_ipc_ctrl_data) bytes into the allocation. This allowed writing up to sizeof(struct sof_ipc_ctrl_data) bytes past the end of the heap buffer from unprivileged userspace via the ALSA TLV kcontrol interface, and similarly allowed over-reading adjacent heap data on the get path. Fix all bounds checks to subtract sizeof(*cdata) from max_size so they reflect the actual space available at the cdata->data offset. Also fix the error-path restore in bytes_ext_put which wrote to cdata->data instead of cdata, causing the same overflow. Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ujfalusi
requested review from
bardliao,
dbaluta,
kv2019i,
lgirdwood,
plbossart and
ranj063
as code owners
There was a problem hiding this comment.
Pull request overview
Fixes incorrect bounds checking for IPC3 bytes ext TLV put/get paths by accounting for the struct sof_ipc_ctrl_data header offset within the allocated buffer, preventing heap overflows/over-reads via the ALSA TLV kcontrol interface.
Changes:
- Correct bounds checks in
sof_ipc3_bytes_ext_put()and_sof_ipc3_bytes_ext_get()to compare against the actual available payload space (max_size - sizeof(*cdata)). - Fix error-path restore in
sof_ipc3_bytes_ext_put()to restore the fullsof_ipc_ctrl_databuffer (not justcdata->data).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+392
to
395
| if (header.length > scontrol->max_size - sizeof(*cdata)) { | ||
| dev_err_ratelimited(scomp->dev, "Bytes data size %d exceeds max %zu\n", | ||
| header.length, scontrol->max_size); | ||
| header.length, scontrol->max_size - sizeof(*cdata)); | ||
| return -EINVAL; |
| header.length, scontrol->max_size - sizeof(*cdata)); | ||
| return -EINVAL; | ||
| } | ||
|
|
| if (cdata->data->size > scontrol->max_size - sizeof(*cdata) - | ||
| sizeof(struct sof_abi_hdr)) { | ||
| dev_err_ratelimited(scomp->dev, | ||
| "User data size %d exceeds max size %zu\n", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The ipc_control_data buffer is allocated as kzalloc(max_size), where max_size covers the entire struct sof_ipc_ctrl_data including its flexible array payload. However, the bounds checks in bytes_ext_put and _bytes_ext_get compared user data lengths against max_size directly, ignoring that cdata->data sits at an offset of sizeof(struct sof_ipc_ctrl_data) bytes into the allocation.
This allowed writing up to sizeof(struct sof_ipc_ctrl_data) bytes past the end of the heap buffer from unprivileged userspace via the ALSA TLV kcontrol interface, and similarly allowed over-reading adjacent heap data on the get path.
Fix all bounds checks to subtract sizeof(*cdata) from max_size so they reflect the actual space available at the cdata->data offset. Also fix the error-path restore in bytes_ext_put which wrote to cdata->data instead of cdata, causing the same overflow.