Skip to content

module_adapter: validate config sizes and isolate per-instance state#10920

Open
lgirdwood wants to merge 3 commits into
thesofproject:mainfrom
lgirdwood:fix-module-adapter
Open

module_adapter: validate config sizes and isolate per-instance state#10920
lgirdwood wants to merge 3 commits into
thesofproject:mainfrom
lgirdwood:fix-module-adapter

Conversation

@lgirdwood

@lgirdwood lgirdwood commented Jun 15, 2026

Copy link
Copy Markdown
Member

Hardening of the module_adapter and a couple of codec wrappers:

  • cadence: validate the init payload is large enough before reading the
    direction field past the codec params
  • waves: check a full TLV header remains in the config blob before reading it
  • module_adapter (IPC3): move the fragmented-transfer reassembly size out of a
    file-scope static into per-instance state, so interleaved transfers to
    different components can't corrupt each other

No functional change for valid configurations.

Copilot AI review requested due to automatic review settings June 15, 2026 14:56
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Hardens module_adapter and codec wrappers by validating configuration buffer sizes before dereferencing and by isolating fragmented transfer reassembly state per component instance to avoid cross-component corruption.

Changes:

  • Added per-instance runtime_params_size to processing_module to track fragmented runtime-params transfer size.
  • Added bounds checks in Waves TLV parsing and Cadence init parsing to prevent out-of-bounds reads.
  • Updated IPC3 module_adapter get/set params path to use per-instance reassembly size instead of a static.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
src/include/module/module/base.h Adds per-instance field for fragmented transfer reassembly sizing.
src/audio/module_adapter/module_adapter_ipc3.c Switches from static reassembly size to per-instance state.
src/audio/module_adapter/module/waves/waves.c Adds header-size bounds check before reading TLV header fields.
src/audio/module_adapter/module/cadence_ipc4.c Validates init payload is large enough before reading direction word.

Comment thread src/audio/module_adapter/module/cadence_ipc4.c Outdated
Comment on lines 276 to 277
init_bytes = (uint8_t *)ext_data->module_data;
cd->direction = *(uint32_t *)(init_bytes + sizeof(struct snd_codec));

@lgirdwood lgirdwood Jun 16, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed — the direction word is now read with memcpy into a local uint32_t instead of dereferencing a possibly-unaligned uint32_t *. (Host and DSP are both little-endian for these IPC fields, so no byte-swap is needed.)

Comment thread src/audio/module_adapter/module/waves/waves.c
Comment on lines +618 to +622
if (index + header_size > cfg->size) {
comp_err(dev, "module_param header exceeds cfg buffer size: %d",
cfg->size);
return -EINVAL;
}

@lgirdwood lgirdwood Jun 16, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed — the message now logs the index, header size and config size with matching specifiers: index %u (header %u) exceeds cfg size %zu (cfg->size is size_t).

Comment thread src/audio/module_adapter/module_adapter_ipc3.c Outdated
* across all module_adapter components and corrupted by interleaved
* fragmented transfers
*/
uint32_t *size = &mod->runtime_params_size;

@lgirdwood lgirdwood Jun 16, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed — dropped the size pointer alias and use mod->runtime_params_size directly in the reassembly arithmetic.

Comment thread src/include/module/module/base.h Outdated
Comment on lines +121 to +125
/* total size of a fragmented runtime-params (get/set) transfer, kept
* per instance so concurrent transfers to different components do not
* corrupt each other's reassembly state
*/
uint32_t runtime_params_size;

@lgirdwood lgirdwood Jun 16, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point — moved the new field to the end of struct processing_module (after the existing private members) so the offsets of all pre-existing fields are unchanged.

lyakh
lyakh requested changes Jun 16, 2026
View reviewed changes
Comment thread src/audio/module_adapter/module/cadence_ipc4.c Outdated
/* direction follows the codec params in init data; make sure the
* payload is large enough to hold it before dereferencing
*/
if (size < (int)(sizeof(struct snd_codec) + sizeof(uint32_t))) {

@lyakh lyakh Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be checked right in the beginning of this block, e.g. after line 247 above.

@lgirdwood lgirdwood Jun 16, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — moved the size check to the top of the block (right after the variable declarations, before the allocation), so a too-small payload is rejected up front.

lrgirdwo added 3 commits June 16, 2026 10:46
@lrgirdwo
cadence: validate init payload covers the direction field
f746543 
The init path read the direction word at a fixed offset past the codec
params without checking the payload was large enough, reading past the
mailbox. Require the payload to cover the field.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
@lrgirdwo
waves: check remaining size before reading a tlv header
913a776 
The config parse loop read a parameter header before confirming a whole
header remained in the blob, reading past it near the end. Bound the
read by the remaining size.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
@lrgirdwo
module_adapter: make fragmented-transfer size per-instance
64cadca 
The reassembly size for fragmented runtime-params transfers was a
file-scope static shared by every component, so interleaved transfers to
different components corrupted each other's state. Move it into
per-instance module state.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
@lgirdwood lgirdwood force-pushed the fix-module-adapter branch from 0c0e552 to 64cadca Compare June 16, 2026 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lyakh lyakh lyakh requested changes

@singalsu singalsu singalsu approved these changes

@ranj063 ranj063 Awaiting requested review from ranj063 ranj063 is a code owner

@plbossart plbossart Awaiting requested review from plbossart plbossart is a code owner

@mmaka1 mmaka1 Awaiting requested review from mmaka1 mmaka1 is a code owner

@lbetlej lbetlej Awaiting requested review from lbetlej lbetlej is a code owner

@dbaluta dbaluta Awaiting requested review from dbaluta dbaluta is a code owner

@kv2019i kv2019i Awaiting requested review from kv2019i kv2019i is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lgirdwood @lyakh @singalsu @lrgirdwo