platform: posix: fix MAILBOX_*_BASE byte-pointer units

tmleman · tmleman · commit 435c0d440906 · 2026-05-28T19:08:59.000+02:00
On every other SOF platform, MAILBOX_HOSTBOX_BASE, MAILBOX_DSPBOX_BASE,
MAILBOX_STREAM_BASE and MAILBOX_TRACE_BASE expand to a byte address
(an integer literal or SRAM_INBOX_BASE), so the generic mailbox API in
sof/src/include/sof/lib/mailbox.h can do plain byte arithmetic --
`MAILBOX_HOSTBOX_BASE + offset` and `memcpy(_s)(..., bytes)` -- and
land on the intended byte.

On POSIX, the bases were defined as `(&amp;posix_hostbox[0])` etc., i.e.
plain `uint32_t *` expressions.  Pointer arithmetic on a `uint32_t *`
scales the addend by `sizeof(uint32_t) == 4`, so
`MAILBOX_HOSTBOX_BASE + offset` silently addressed byte
`offset * 4`, four times further into the buffer than the API
contract.

This was latent for years because MAILBOX_HOSTBOX_SIZE was hard-coded
to 1024 on POSIX while the largest byte offset used through
mailbox_hostbox_read() in IPC3 mailbox_validate() (offset = 8, bytes =
SOF_IPC_MSG_MAX_SIZE - 8 = 376) stays within 32 + 376 = 408 bytes,
comfortably under 1024.  After commit "fuzz: posix: size MAILBOX_HOSTBOX
from SOF_IPC_MSG_MAX_SIZE" (384 in IPC3 builds, 4096 in IPC4 builds),
the scaled IPC3 read overruns the now exactly right-sized backing buffer
by 24 bytes, which AddressSanitizer catches as a global-buffer-overflow
inside libc memcpy called from mailbox_hostbox_read() -&gt; memcpy_s().
Reproducer (with the new 2-byte framing): two-byte fuzz input "\x80\x01"
(msgsz=384, header-only message).

Cast each base to `(uint8_t *)` so byte-offset arithmetic is honoured
and the macro semantics match every other platform.  The `uint32_t[]`
backing storage is kept for natural alignment; only how the macro
exposes that storage changes.

Signed-off-by: Tomasz Leman &lt;tomasz.m.leman@intel.com&gt;
diff --git a/src/platform/posix/include/platform/lib/memory.h b/src/platform/posix/include/platform/lib/memory.h
@@ -12,20 +12,32 @@
 #define uncache_to_cache(addr) (addr)
 #define cache_to_uncache(addr) (addr)
 
+/*
+ * Mailbox base macros must yield byte-pointer arithmetic so that the
+ * generic mailbox API in `sof/src/include/sof/lib/mailbox.h`
+ * (`MAILBOX_HOSTBOX_BASE + offset`, etc., where `offset` is a byte
+ * offset) addresses the intended byte.  The backing storage is
+ * declared as `uint32_t[]` only for natural-alignment; addressing is
+ * done through a `uint8_t *` cast so byte offsets do not get scaled
+ * by `sizeof(uint32_t)`.  Every other SOF platform defines these
+ * bases as plain byte addresses (integer literals or
+ * `SRAM_INBOX_BASE`), so the cast keeps POSIX consistent with that
+ * ABI.
+ */
 extern uint32_t posix_hostbox[];
 #define MAILBOX_HOSTBOX_SIZE SOF_IPC_MSG_MAX_SIZE
-#define MAILBOX_HOSTBOX_BASE (&posix_hostbox[0])
+#define MAILBOX_HOSTBOX_BASE ((uint8_t *)&posix_hostbox[0])
 
 extern uint32_t posix_dspbox[];
 #define MAILBOX_DSPBOX_SIZE 4096
-#define MAILBOX_DSPBOX_BASE (&posix_dspbox[0])
+#define MAILBOX_DSPBOX_BASE ((uint8_t *)&posix_dspbox[0])
 
 extern uint32_t posix_stream[];
 #define MAILBOX_STREAM_SIZE 4096
-#define MAILBOX_STREAM_BASE (&posix_stream[0])
+#define MAILBOX_STREAM_BASE ((uint8_t *)&posix_stream[0])
 
 extern uint32_t posix_trace[];
-#define MAILBOX_TRACE_BASE (&posix_trace[0])
+#define MAILBOX_TRACE_BASE ((uint8_t *)&posix_trace[0])
 #define MAILBOX_TRACE_SIZE 4096
 
 #define PLATFORM_HEAP_SYSTEM 1
