[next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()

Message ID ZQSr15AYJpDpipg6@work
State New
Headers
Series [next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size() |

Commit Message

Gustavo A. R. Silva Sept. 15, 2023, 7:09 p.m. UTC
  If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.

Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 sound/soc/sof/ipc4-topology.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
  

Comments

Kees Cook Sept. 15, 2023, 7:14 p.m. UTC | #1
On Fri, Sep 15, 2023 at 01:09:11PM -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
> 
> Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension")
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Reviewed-by: Kees Cook <keescook@chromium.org>
  
Kees Cook Sept. 29, 2023, 7:14 p.m. UTC | #2
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
> 
> 

Applied to for-next/hardening, thanks!

[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
      https://git.kernel.org/kees/c/93d2858dd630

Take care,
  
Mark Brown Oct. 1, 2023, 10:25 a.m. UTC | #3
On Fri, Sep 29, 2023 at 12:14:59PM -0700, Kees Cook wrote:
> On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:

> > If, for any reason, the open-coded arithmetic causes a wraparound,
> > the protection that `struct_size()` adds against potential integer
> > overflows is defeated. Fix this by hardening call to `struct_size()`
> > with `size_add()`.

> [1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
>       https://git.kernel.org/kees/c/93d2858dd630

Why is this bypassing the ASoC tree?
  
Kees Cook Oct. 1, 2023, 8:37 p.m. UTC | #4
On Sun, Oct 01, 2023 at 11:25:59AM +0100, Mark Brown wrote:
> On Fri, Sep 29, 2023 at 12:14:59PM -0700, Kees Cook wrote:
> > On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
> 
> > > If, for any reason, the open-coded arithmetic causes a wraparound,
> > > the protection that `struct_size()` adds against potential integer
> > > overflows is defeated. Fix this by hardening call to `struct_size()`
> > > with `size_add()`.
> 
> > [1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
> >       https://git.kernel.org/kees/c/93d2858dd630
> 
> Why is this bypassing the ASoC tree?

Hi! Sorry, I can drop it if you want to take it? I tend to collect trivial
hardening changes with reviews that haven't been otherwise commented on
for at least 2 weeks.

-Kees
  
Mark Brown Oct. 2, 2023, 10:59 a.m. UTC | #5
On Sun, Oct 01, 2023 at 01:37:04PM -0700, Kees Cook wrote:
> On Sun, Oct 01, 2023 at 11:25:59AM +0100, Mark Brown wrote:

> > Why is this bypassing the ASoC tree?

> Hi! Sorry, I can drop it if you want to take it? I tend to collect trivial
> hardening changes with reviews that haven't been otherwise commented on
> for at least 2 weeks.

Yes, it's in my queue - 2 weeks is really rather fast between people not
being available and waiting for driver authors to review if they
normally look at things.
  
Mark Brown Oct. 2, 2023, 3:17 p.m. UTC | #6
On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
> 
> 

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
      commit: 3746284c233d5cf5f456400e61cd4a46a69c6e8c

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark
  
Kees Cook Oct. 2, 2023, 4:49 p.m. UTC | #7
On Mon, Oct 02, 2023 at 04:17:24PM +0100, Mark Brown wrote:
> On Fri, 15 Sep 2023 13:09:11 -0600, Gustavo A. R. Silva wrote:
> > If, for any reason, the open-coded arithmetic causes a wraparound,
> > the protection that `struct_size()` adds against potential integer
> > overflows is defeated. Fix this by hardening call to `struct_size()`
> > with `size_add()`.
> > 
> > 
> 
> Applied to
> 
>    https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
> 
> Thanks!
> 
> [1/1] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
>       commit: 3746284c233d5cf5f456400e61cd4a46a69c6e8c

Thanks! I've dropped it from my tree.

-Kees
  

Patch

diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c
index f2a30cd31378..2a19dd022aaf 100644
--- a/sound/soc/sof/ipc4-topology.c
+++ b/sound/soc/sof/ipc4-topology.c
@@ -895,7 +895,8 @@  static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget)
 	if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) {
 		struct sof_ipc4_base_module_cfg_ext *base_cfg_ext;
 		u32 ext_size = struct_size(base_cfg_ext, pin_formats,
-						swidget->num_input_pins + swidget->num_output_pins);
+					   size_add(swidget->num_input_pins,
+						    swidget->num_output_pins));
 
 		base_cfg_ext = kzalloc(ext_size, GFP_KERNEL);
 		if (!base_cfg_ext) {