If user space provides smaller buffer than the IPC4 reply then it is possible that we corrupt user space memory since the IPC4 dfs_read function is not using the count directly in copy_to_user() due to the nature of an IPC4 message. Cap the remaining counter to make sure that we are not writing too much to the user space provided buffer. Add a check also to make sure that the buffer is at least the size of the IPC4 header. Fixes: 066c67624d8c: "ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages" Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@xxxxxxxxxxxxxxx> --- sound/soc/sof/sof-client-ipc-msg-injector.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/sound/soc/sof/sof-client-ipc-msg-injector.c b/sound/soc/sof/sof-client-ipc-msg-injector.c index c2480317730c..03490a4d4ae7 100644 --- a/sound/soc/sof/sof-client-ipc-msg-injector.c +++ b/sound/soc/sof/sof-client-ipc-msg-injector.c @@ -76,12 +76,17 @@ static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file, struct sof_client_dev *cdev = file->private_data; struct sof_msg_inject_priv *priv = cdev->data; struct sof_ipc4_msg *ipc4_msg = priv->rx_buffer; + size_t header_size = sizeof(ipc4_msg->header_u64); size_t remaining; if (!ipc4_msg->header_u64 || !count || *ppos) return 0; - remaining = sizeof(ipc4_msg->header_u64); + /* we need space for the header at minimum (u64) */ + if (count < header_size) + return -ENOSPC; + + remaining = header_size; /* Only get large config have payload */ if (SOF_IPC4_MSG_IS_MODULE_MSG(ipc4_msg->primary) && @@ -90,13 +95,15 @@ static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file, if (count > remaining) count = remaining; + else if (count < remaining) + remaining = count; /* copy the header first */ - if (copy_to_user(buffer, &ipc4_msg->header_u64, sizeof(ipc4_msg->header_u64))) + if (copy_to_user(buffer, &ipc4_msg->header_u64, header_size)) return -EFAULT; - *ppos += sizeof(ipc4_msg->header_u64); - remaining -= sizeof(ipc4_msg->header_u64); + *ppos += header_size; + remaining -= header_size; if (!remaining) return count; -- 2.36.1