Hi,
Static analysis on linux-next with Coverity had detected a potential
array out-of-bounds write issue in the following commit:
commit aa2e2785545aab21b6cb2e23f111ae0751cbcca7
Author: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx>
Date: Mon Oct 26 17:09:47 2020 +0000
ASoC: qcom: sm8250: add sound card qrb5165-rb5 support
The analysis is as follows:
139 static int sm8250_snd_hw_free(struct snd_pcm_substream *substream)
140 {
141 struct snd_soc_pcm_runtime *rtd = substream->private_data;
142 struct sm8250_snd_data *data =
snd_soc_card_get_drvdata(rtd->card);
143 struct snd_soc_dai *cpu_dai = asoc_rtd_to_cpu(rtd, 0);
144 struct sdw_stream_runtime *sruntime =
data->sruntime[cpu_dai->id];
145
1. Switch case value 105.
146 switch (cpu_dai->id) {
2. equality_cond: Jumping to case 105.
147 case WSA_CODEC_DMA_RX_0:
148 case WSA_CODEC_DMA_RX_1:
Out-of-bounds write (OVERRUN)
3. Condition sruntime, taking true branch.
4. Condition data->stream_prepared[cpu_dai->id], taking true branch.
149 if (sruntime && data->stream_prepared[cpu_dai->id]) {
150 sdw_disable_stream(sruntime);
151 sdw_deprepare_stream(sruntime);
Out-of-bounds write (OVERRUN)
5. overrun-local: Overrunning array data->stream_prepared of 16 bytes
at byte offset 105 using index cpu_dai->id (which evaluates to 105).
152 data->stream_prepared[cpu_dai->id] = false;
153 }
154 break;
155 default:
156 break;
157 }
158
159 return 0;
160 }
So cpu_dia->id is 105 in this case statement, and yet
data->steam_prepared is an array of 16 elements, so this looks suspect.
Colin
