Commit 0666910
Jyri Sarha
ipc4: large_config: fix data_off_size underflow on init-only block
ipc4_set_vendor_config_module_instance() only validated data_off_size in
the bursted-config path (init_block && final_block). The else path with
init_block == 1 && final_block == 0 unconditionally executed:
data += sizeof(struct sof_tlv);
data_off_size -= sizeof(struct sof_tlv);
data_off_size is a host-controlled 20-bit field taken straight from the
IPC message. When it is smaller than sizeof(struct sof_tlv) (8) the
subtraction underflows and wraps to a value close to 0xFFFFFFFF, which is
then forwarded as the length to the module's set_large_config() handler.
The actual backing buffer is only the MAILBOX_HOSTBOX_SIZE mailbox, so a
compromised host could trigger out-of-bounds reads of DSP SRAM (and
possible corruption depending on the target module) by sending
MOD_LARGE_CONFIG_SET with init_block=1, final_block=0 and
data_off_size < 8.
Hoist the existing "data_off_size < sizeof(struct sof_tlv) ||
data_off_size > MAILBOX_HOSTBOX_SIZE" bounds check to the top of the
function so it runs for every entry, before any pointer or size
arithmetic. The duplicate check in the bursted-config branch is removed
as it is now covered by the hoisted one.
Signed-off-by: Jyri Sarha <jyri.sarha@linux.intel.com>1 parent 3f7738d commit 0666910
1 file changed
Lines changed: 4 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1109 | 1109 | | |
1110 | 1110 | | |
1111 | 1111 | | |
| 1112 | + | |
| 1113 | + | |
| 1114 | + | |
| 1115 | + | |
1112 | 1116 | | |
1113 | 1117 | | |
1114 | 1118 | | |
1115 | | - | |
1116 | | - | |
1117 | | - | |
1118 | | - | |
1119 | | - | |
1120 | | - | |
1121 | 1119 | | |
1122 | 1120 | | |
1123 | 1121 | | |
| |||
0 commit comments