| Message ID | a311e4ae83406f714c9d1f7f2f857284265e581c.1685640591.git.christophe.jaillet@wanadoo.fr |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp503515vqr;
Thu, 1 Jun 2023 10:39:49 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ7RoqP6tdv1gsPmYRfjgqnWfOhgLIomgIGNLzvWsW+5HlzjtrPOYNjwEGEIz2kT7eTMTFel
X-Received: by 2002:a05:6a21:3388:b0:10c:2fe0:b3d with SMTP id
yy8-20020a056a21338800b0010c2fe00b3dmr8442534pzb.33.1685641189054;
Thu, 01 Jun 2023 10:39:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685641189; cv=none;
d=google.com; s=arc-20160816;
b=xef6JJm3HtPH8b3P7w9Zpo7o2cyklCtxchRCP5rteF81+59AVdLDeBgbBLqTzyK0ZA
IdQ5OmWRMQFYaGNs5RONSn6cEOCz4cNW6UFUGp9KM3Tud+vo+pa7HPJGJX9OobKDhVvc
3hguFCW9pG2FqPDit8OphUCEYr4B4htn8DgjOcGGE4ISN7qNRGuZYjzQrXaTcm4cAp3c
xJn1612w1ysfUcuAgZ1h+Sj6atvzdMTANJ+NHeGWZtCLEK5bda5ZvpCmdH/ylF2pSu0T
LkjKfdmsTL7EI39ju/nvv3G9ovspHFoTqbaS+Pui6/0ZRbdLRqFvGuNcs6d3tY0uCb/t
I0Iw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=rhggJM25UscX66J1Ug1pJJ1oVkQChGg3ni6GqVZhFI0=;
b=UjkD+AnWcop2Gw2uWqt+sCZomITxY6JDBH/KD7SkqrHISrk9KrF5EPs4b+Gy37OAYE
u7VahpF+kDoH4o/FppnMvsf7QVzwE2MoTCjC31trL0gQ5nF4FbZdz14lOkt8GCR4Dyuk
03vd9UQLkm/jzwUO8aHrIo2wBAcJTS5gh2Xgxfd4oJy41cBQvDAeCv9G+7sERWkB1rDO
gZ4SBB5z1UE7E0rMynMn5vds8841vXO6XnJwilM2loHHluoCGTJmmgmBd3gcLQvdno5+
6PlFGcSLGIURiYYOIKWOWzo3qra3AQLOp+faEovVUpURVdO6MEYH68lNASoK8t2OROZP
FBxw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b="hEQw/usF";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
i12-20020a633c4c000000b0051b930ef847si3148648pgn.134.2023.06.01.10.39.34;
Thu, 01 Jun 2023 10:39:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@wanadoo.fr header.s=t20230301 header.b="hEQw/usF";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231678AbjFARac (ORCPT <rfc822;limurcpp@gmail.com> + 99 others);
Thu, 1 Jun 2023 13:30:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60220 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232172AbjFARab (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 1 Jun 2023 13:30:31 -0400
Received: from smtp.smtpout.orange.fr (smtp-20.smtpout.orange.fr
[80.12.242.20])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A3411A2
for <linux-kernel@vger.kernel.org>;
Thu, 1 Jun 2023 10:30:25 -0700 (PDT)
Received: from pop-os.home ([86.243.2.178])
by smtp.orange.fr with ESMTPA
id 4m7qqKkRYe9XV4m7qqJitg; Thu, 01 Jun 2023 19:30:18 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wanadoo.fr;
s=t20230301; t=1685640618;
bh=rhggJM25UscX66J1Ug1pJJ1oVkQChGg3ni6GqVZhFI0=;
h=From:To:Cc:Subject:Date;
b=hEQw/usFf5yS+y9l4ClFR8rgeZwr2277zC+d2Mk73yPZjHgov2C9HuWtcnxXuChk3
wD8vpbixpGVJtCJoCRO3FNPLN8dON09RpnfHLZbYdz8sheqbwP/nrdWgN1ERr2kIMx
LkrEFfXDsYMJmUDxGpbh3sfPP0cK5Lxe4hKUc0Br7+GXhSSe4WUjwFnwA18lEb9nXh
fYQCz1GoLvK946K59PwI7IAbtVItKflaWfb0yS6dsU3uK6k4uTe1mPyBwtkQ0A99cu
S0OphpjdSucfnF2u9NJ4wUzWLIVvUAaq08Xx8GayAB5iILrKzn7Xke+Ja+ZT/Ov3Yi
HcGfLUBumtO1A==
X-ME-Helo: pop-os.home
X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI=
X-ME-Date: Thu, 01 Jun 2023 19:30:18 +0200
X-ME-IP: 86.243.2.178
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
To: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
Liam Girdwood <lgirdwood@gmail.com>,
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>,
Bard Liao <yung-chuan.liao@linux.intel.com>,
Ranjani Sridharan <ranjani.sridharan@linux.intel.com>,
Daniel Baluta <daniel.baluta@nxp.com>,
Kai Vehmanen <kai.vehmanen@linux.intel.com>,
Mark Brown <broonie@kernel.org>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>
Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org,
Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
sound-open-firmware@alsa-project.org, alsa-devel@alsa-project.org
Subject: [PATCH] ASoC: SOF: ipc4-topology: Use size_t for variable passed to
kzalloc()
Date: Thu, 1 Jun 2023 19:30:12 +0200
Message-Id:
<a311e4ae83406f714c9d1f7f2f857284265e581c.1685640591.git.christophe.jaillet@wanadoo.fr>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767522895275647139?=
X-GMAIL-MSGID: =?utf-8?q?1767522895275647139?=
|
| Series |
ASoC: SOF: ipc4-topology: Use size_t for variable passed to kzalloc()
|
|
Commit Message
Christophe JAILLET
June 1, 2023, 5:30 p.m. UTC
struct_size() checks for overflow, but assigning its result to just a u32
may still overflow after a successful check.
Use a size_t instead in order to be cleaner.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
Based on analysis from Dan Carpenter on another patch (see [1]).
[1]: https://lore.kernel.org/all/00e84595-e2c9-48ea-8737-18da34eaafbf@kili.mountain/
---
sound/soc/sof/ipc4-topology.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On 6/1/23 12:30, Christophe JAILLET wrote: > struct_size() checks for overflow, but assigning its result to just a u32 > may still overflow after a successful check. > > Use a size_t instead in order to be cleaner. > > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> > --- > Based on analysis from Dan Carpenter on another patch (see [1]). > > [1]: https://lore.kernel.org/all/00e84595-e2c9-48ea-8737-18da34eaafbf@kili.mountain/ looks like there are similar cases of struct_size -> u32 conversions in other places: struct snd_sof_control { u32 size; /* cdata size */ ipc3-topology.c: scontrol->size = struct_size(cdata, chanv, scontrol->num_channels); ipc3-topology.c: scontrol->size = struct_size(cdata, chanv, scontrol->num_channels); ipc4-topology.c: scontrol->size = struct_size(control_data, chanv, scontrol->num_channels); not sure how much of an issue this really is though? > --- > sound/soc/sof/ipc4-topology.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c > index db64e0cb8663..50faa4c88b97 100644 > --- a/sound/soc/sof/ipc4-topology.c > +++ b/sound/soc/sof/ipc4-topology.c > @@ -881,7 +881,7 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget) > /* allocate memory for base config extension if needed */ > if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) { > struct sof_ipc4_base_module_cfg_ext *base_cfg_ext; > - u32 ext_size = struct_size(base_cfg_ext, pin_formats, > + size_t ext_size = struct_size(base_cfg_ext, pin_formats, > swidget->num_input_pins + swidget->num_output_pins); > > base_cfg_ext = kzalloc(ext_size, GFP_KERNEL);
Le 01/06/2023 à 19:39, Pierre-Louis Bossart a écrit : > > > On 6/1/23 12:30, Christophe JAILLET wrote: >> struct_size() checks for overflow, but assigning its result to just a u32 >> may still overflow after a successful check. >> >> Use a size_t instead in order to be cleaner. >> >> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> >> --- >> Based on analysis from Dan Carpenter on another patch (see [1]). >> >> [1]: https://lore.kernel.org/all/00e84595-e2c9-48ea-8737-18da34eaafbf@kili.mountain/ > > looks like there are similar cases of struct_size -> u32 conversions in > other places: > > struct snd_sof_control { > u32 size; /* cdata size */ > > ipc3-topology.c: scontrol->size = struct_size(cdata, chanv, > scontrol->num_channels); > ipc3-topology.c: scontrol->size = struct_size(cdata, chanv, > scontrol->num_channels); > ipc4-topology.c: scontrol->size = struct_size(control_data, > chanv, scontrol->num_channels); My coccinelle script does not handle such cases. > > not sure how much of an issue this really is though? I agree that in practice it should be safe as-is, but it can't hurt :). I don't know this code well, but should [2] be part of the call chain, it is obvious that it CAN'T overflow. I checked for places where such pattern occurs after Dan's comment on another patch. I'll see if I find better candidates. CJ [2]: https://elixir.bootlin.com/linux/v6.4-rc1/source/sound/soc/sof/topology.c#L1404 > >> --- >> sound/soc/sof/ipc4-topology.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c >> index db64e0cb8663..50faa4c88b97 100644 >> --- a/sound/soc/sof/ipc4-topology.c >> +++ b/sound/soc/sof/ipc4-topology.c >> @@ -881,7 +881,7 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget) >> /* allocate memory for base config extension if needed */ >> if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) { >> struct sof_ipc4_base_module_cfg_ext *base_cfg_ext; >> - u32 ext_size = struct_size(base_cfg_ext, pin_formats, >> + size_t ext_size = struct_size(base_cfg_ext, pin_formats, >> swidget->num_input_pins + swidget->num_output_pins); >> >> base_cfg_ext = kzalloc(ext_size, GFP_KERNEL); >
On Thu, Jun 01, 2023 at 07:30:12PM +0200, Christophe JAILLET wrote: > struct_size() checks for overflow, but assigning its result to just a u32 > may still overflow after a successful check. > > Use a size_t instead in order to be cleaner. > > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> > --- > Based on analysis from Dan Carpenter on another patch (see [1]). > > [1]: https://lore.kernel.org/all/00e84595-e2c9-48ea-8737-18da34eaafbf@kili.mountain/ > --- > sound/soc/sof/ipc4-topology.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c > index db64e0cb8663..50faa4c88b97 100644 > --- a/sound/soc/sof/ipc4-topology.c > +++ b/sound/soc/sof/ipc4-topology.c > @@ -881,7 +881,7 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget) > /* allocate memory for base config extension if needed */ > if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) { > struct sof_ipc4_base_module_cfg_ext *base_cfg_ext; > - u32 ext_size = struct_size(base_cfg_ext, pin_formats, > + size_t ext_size = struct_size(base_cfg_ext, pin_formats, > swidget->num_input_pins + swidget->num_output_pins); The temptation would be to change the addition as well: size_t ext_size = struct_size(base_cfg_ext, pin_formats, size_add(swidget->num_input_pins, swidget->num_output_pins); These values can only be in the 0-8 range so it's not a real bug. Smatch cannot parse this data correctly to verify that it is safe. Maybe in two years Smatch will be able to. Probably a human who is unfamiliar with this code can figure out that it is safe within 15 minutes? I think the change to size_t doesn't hurt anyone and there isn't any downside to it. The size_add() change is slightly less readable than just adding the numbers but I think eventually people will just get used to it. regards, dan carpenter
diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c index db64e0cb8663..50faa4c88b97 100644 --- a/sound/soc/sof/ipc4-topology.c +++ b/sound/soc/sof/ipc4-topology.c @@ -881,7 +881,7 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget) /* allocate memory for base config extension if needed */ if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) { struct sof_ipc4_base_module_cfg_ext *base_cfg_ext; - u32 ext_size = struct_size(base_cfg_ext, pin_formats, + size_t ext_size = struct_size(base_cfg_ext, pin_formats, swidget->num_input_pins + swidget->num_output_pins); base_cfg_ext = kzalloc(ext_size, GFP_KERNEL);