Re: [PATCH 2/2] soundwire: qcom: gracefully handle too many ports in DT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 22/02/2023 14:44, Krzysztof Kozlowski wrote:
There are two issues related to the number of ports coming from
Devicetree when exceeding in total QCOM_SDW_MAX_PORTS.  Both lead to
incorrect memory accesses:
1. With DTS having too big value of input or output ports, the driver,
    when copying port parameters from local/stack arrays into 'pconfig'
    array in 'struct qcom_swrm_ctrl', will iterate over their sizes.

2. If DTS also has too many parameters for these ports (e.g.
    qcom,ports-sinterval-low), the driver will overflow buffers on the
    stack when reading these properties from DTS.

Add a sanity check so incorrect DTS will not cause kernel memory
corruption.

Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxx>
---


Thanks Krzysztof, it make sense.

Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx>


--srini
  drivers/soundwire/qcom.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
index 79bebcecde6d..c296e0bf897b 100644
--- a/drivers/soundwire/qcom.c
+++ b/drivers/soundwire/qcom.c
@@ -1218,6 +1218,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl)
  	ctrl->num_dout_ports = val;
nports = ctrl->num_dout_ports + ctrl->num_din_ports;
+	if (nports > QCOM_SDW_MAX_PORTS)
+		return -EINVAL;
+
  	/* Valid port numbers are from 1-14, so mask out port 0 explicitly */
  	set_bit(0, &ctrl->dout_port_mask);
  	set_bit(0, &ctrl->din_port_mask);



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux