volume: bound init payload reads against its actual size

lrgirdwo · kv2019i · commit 00686788b30b · 2026-06-22T11:38:36.000+03:00
Init read the per-channel config[] array using the stream channel count
without checking the payload was large enough, reading past the mailbox.

The payload comes in two forms: an all-channels entry (channel_id set to
ALL_CHANNELS_MASK) that carries a single config applied to every channel,
or one config entry per channel. The per-channel loop always indexed
config[channel], so the common all-channels payload (one entry) was read
out of bounds for every channel beyond the first; the result was then
discarded, masking the over-read.

Require at least one entry before dereferencing config[0] to detect the
form, require one entry per channel only for the per-channel form, and
index config[] by the selected entry so no read goes past the payload.

Signed-off-by: Liam Girdwood &lt;liam.r.girdwood@linux.intel.com&gt;
diff --git a/src/audio/volume/volume_ipc4.c b/src/audio/volume/volume_ipc4.c
@@ -115,6 +115,7 @@ int volume_init(struct processing_module *mod)
 	uint32_t channels_count;
 	uint8_t channel_cfg;
 	uint8_t channel;
+	bool all_channels;
 	uint32_t instance_id = IPC4_INST_ID(dev_comp_id(dev));
 
 	if (instance_id >= IPC4_MAX_PEAK_VOL_REG_SLOTS) {
@@ -127,6 +128,26 @@ int volume_init(struct processing_module *mod)
 		return -EINVAL;
 	}
 
+	/* The payload must hold at least one config entry, which is read below
+	 * to detect the all-channels form.
+	 */
+	if (cfg->size < sizeof(*vol) + sizeof(vol->config[0])) {
+		comp_err(dev, "Invalid init payload size %zu", cfg->size);
+		return -EINVAL;
+	}
+
+	/* In the all-channels form a single entry applies to every channel;
+	 * otherwise the payload must hold one entry per channel as they are
+	 * each read below.
+	 */
+	all_channels = vol->config[0].channel_id == IPC4_ALL_CHANNELS_MASK;
+	if (!all_channels &&
+	    cfg->size < sizeof(*vol) + channels_count * sizeof(vol->config[0])) {
+		comp_err(dev, "Invalid init payload size %zu for %u channels",
+			 cfg->size, channels_count);
+		return -EINVAL;
+	}
+
 	cd = mod_zalloc(mod, sizeof(struct vol_data));
 	if (!cd)
 		return -ENOMEM;
@@ -156,16 +177,13 @@ int volume_init(struct processing_module *mod)
 	md->private = cd;
 
 	for (channel = 0; channel < channels_count; channel++) {
-		if (vol->config[0].channel_id == IPC4_ALL_CHANNELS_MASK)
-			channel_cfg = 0;
-		else
-			channel_cfg = channel;
+		channel_cfg = all_channels ? 0 : channel;
 
 		target_volume[channel] =
-			convert_volume_ipc4_to_ipc3(dev, vol->config[channel].target_volume);
+			convert_volume_ipc4_to_ipc3(dev, vol->config[channel_cfg].target_volume);
 
 		set_volume_ipc4(cd, channel,
-				target_volume[channel_cfg],
+				target_volume[channel],
 				vol->config[channel_cfg].curve_type,
 				vol->config[channel_cfg].curve_duration);
 
