ipc4: helper: validate host device_count before indexing channel map#10864
Open
abonislawski wants to merge 1 commit into
Open
ipc4: helper: validate host device_count before indexing channel map#10864abonislawski wants to merge 1 commit into
abonislawski wants to merge 1 commit into
Conversation
dma_cfg->channel_map.device_count comes from a host supplied gateway config blob and was used directly to bound the loop indexing the fixed channel_map.map[GTW_DMA_DEVICE_MAX_COUNT] array, allowing an out-of-bounds read. Reject counts above the ABI maximum with IPC4_INVALID_REQUEST. Signed-off-by: Adrian Bonislawski <adrian.bonislawski@intel.com>
abonislawski
requested review from
dbaluta,
kv2019i,
lbetlej,
lgirdwood,
mmaka1 and
plbossart
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens IPC4 gateway DMA configuration parsing by validating dma_cfg->channel_map.device_count (host-supplied) before using it to index the fixed-size channel_map.map[GTW_DMA_DEVICE_MAX_COUNT] array, preventing out-of-bounds reads in ipc4_find_dma_config_multiple().
Changes:
- Cache
device_countlocally and reject values aboveGTW_DMA_DEVICE_MAX_COUNT. - Return
IPC4_INVALID_REQUEST(and log) when the host provides an invaliddevice_count.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dma_cfg->channel_map.device_count comes from a host supplied gateway config blob and was used directly to bound the loop indexing the fixed channel_map.map[GTW_DMA_DEVICE_MAX_COUNT] array, allowing an out-of-bounds read. Reject counts above the ABI maximum with IPC4_INVALID_REQUEST.