Re: out-of-bounds access in sound/soc/sof/topology.c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 27/04/2022 09:55, Sergey Senozhatsky wrote:
> On (22/04/19 08:07), Pierre-Louis Bossart wrote:
>>> Your analyzes are spot on, unfortunately. But...
>>>
>>> As of today, the sof_get_control_data() is in the call path of
>>> (ipc3-topology.c):
>>>
>>> sof_widget_update_ipc_comp_process() -> sof_process_load() ->
>>> sof_get_control_data()
>>>
>>> sof_widget_update_ipc_comp_process() is the ipc_setup callback for
>>> snd_soc_dapm_effect. If I'm not mistaken these only carries bin payload
>>> and never MIXER/ENUM/SWITCH/VOLUME.
>>> This means that the sof_get_control_data() is only called with
>>> SND_SOC_TPLG_TYPE_BYTES and for that the allocated data area is correct.
>>>
>>> This can explain why we have not seen any issues so far. This does not
>>> renders the code right, as how it is written atm is wrong.
>>
>>
>> Sergey's results with KASAN show that there's a real-life problem though. I also don't understand how that might happen.
>>
>> Could it be that these results are with a specific topology where our assumptions are incorrect?
> 
> Is there anything I can do to help?

I will send a patch shortly, I think it is going to be easy to backport
for you and test it.

-- 
Péter



[Index of Archives]     [ALSA User]     [Linux Audio Users]     [Pulse Audio]     [Kernel Archive]     [Asterisk PBX]     [Photo Sharing]     [Linux Sound]     [Video 4 Linux]     [Gimp]     [Yosemite News]

  Powered by Linux