From patchwork Fri Feb 24 02:48:41 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Sakamoto <takashi.sakamoto@miraclelinux.com>
X-Patchwork-Id: 9589497
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	25629601AE for <patchwork-alsa-devel@patchwork.kernel.org>;
	Fri, 24 Feb 2017 07:39:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 16E6128779
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Fri, 24 Feb 2017 07:39:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0B2E62879A; Fri, 24 Feb 2017 07:39:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F26C28779
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Fri, 24 Feb 2017 07:39:03 +0000 (UTC)
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id 5E24726708E;
	Fri, 24 Feb 2017 08:37:31 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 2877E266FF1; Fri, 24 Feb 2017 03:49:01 +0100 (CET)
Received: from mail-pf0-f169.google.com (mail-pf0-f169.google.com
	[209.85.192.169])
	by alsa0.perex.cz (Postfix) with ESMTP id 7CBB0266FED
	for <alsa-devel@alsa-project.org>;
	Fri, 24 Feb 2017 03:48:51 +0100 (CET)
Received: by mail-pf0-f169.google.com with SMTP id 68so878606pfx.2
	for <alsa-devel@alsa-project.org>;
	Thu, 23 Feb 2017 18:48:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=miraclelinux-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=eyiK7avqu1FBxILnTkUqx35Xj2CUVUoTH070DgeqsgI=;
	b=G4YxYdTbFiDBFSrTQBtYJbdfiObUX3aSvfTP3Cv6qSnuhVMt53jU68lO+I6aCwylbF
	vU1n9fM/NTVuAiPzFjTNwnCFwb6C5rFgJxQ/asZRkJrZ4ZI+kyweU2Kj8//qCIK0yKK4
	BW4BCGWs3a+9Uu+Gm2WctipluOgKtf2cFLfkZNW5Sn+gwd1r2V3vfMSQqe0VmGurCQ28
	8KROYhyUpHbIgwNofJZ7DvyLqoytZI9rFzJoWrQETcUw10MRq2Nr8o/Mm9Cxl6tO4hvr
	3OBdM42pnPWr2J6rvmvGLh13+QjcpH6rSrZkaN2T5bwL4K7cZ8mj9OseJhTTALIeDaPb
	W9gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=eyiK7avqu1FBxILnTkUqx35Xj2CUVUoTH070DgeqsgI=;
	b=CN3QiSn0H9ClRg4xMi2SS40qXeFzQTBi97CbBiCmu6abvqdXFr45aWqqrwUzOcUABl
	sEqo1Kkk8tcjm1ZctCdOODM2hIeYZu+qkUDW88u6zE1PlfOMP5F6zULf5tR4IwBNw7zX
	xCDW1mf9PkbLNy/9QM0H9BiYtP1rHbF6TFwjFZTuZD3ZPhkns9sE0lB4ewlfQKdThbVp
	SO3xFZ1V5kwIo9mOk6ERlAwnJYXhsBQgvJnNW1enTf8BD7CJ3UOnKA0FiKCZ5gdzW4zG
	fLdsIEKD1Wue0L2WNOwWz6JxUs8wQvIGc01Sr2sJB0UOUO2tBALXYUdPbjOaBOgc4yDO
	/DsQ==
X-Gm-Message-State: 
 AMke39n6AFSvWWTWdGAjgt3ntCIKIR9rWpKnMGFZF0tDsNUougx7oK3Q2saYWiyVSiLPUwUx
X-Received: by 10.98.78.66 with SMTP id c63mr566426pfb.138.1487904528623;
	Thu, 23 Feb 2017 18:48:48 -0800 (PST)
Received: from Mocchi64.miraclelinux.com (rt.miraclelinux.com.
	[221.114.197.178]) by smtp.gmail.com with ESMTPSA id
	x2sm12012572pfa.71.2017.02.23.18.48.46
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 23 Feb 2017 18:48:48 -0800 (PST)
From: Takashi Sakamoto <takashi.sakamoto@miraclelinux.com>
To: broonie@kernel.org,
	jeeja.kp@intel.com,
	shreyas.nc@intel.com
Date: Fri, 24 Feb 2017 11:48:41 +0900
Message-Id: <20170224024841.10515-1-takashi.sakamoto@miraclelinux.com>
X-Mailer: git-send-email 2.9.3
X-Mailman-Approved-At: Fri, 24 Feb 2017 08:37:25 +0100
Cc: alsa-devel@alsa-project.org, hirotaka.furukawa@miraclelinux.com,
	ichiro.suzuki@miraclelinux.com, ryotaro.shibata@miraclelinux.com,
	"# v4 . 5+" <stable@vger.kernel.org>,
	Takashi Sakamoto <o-takashi@sakamocchi.jp>, yukie.kato@miraclelinux.com
Subject: [alsa-devel] [PATCH] ASoC: Intel: Skylake: fix invalid memory
	access due to wrong reference of pointer
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

In 'skl_tplg_set_module_init_data()', a pointer to 'params' member of
'struct skl_algo_data' is calculated, then casted to (u32 *) and assigned
to a member of configuration data. The configuration data is passed to the
other functions and used to process intel IPC. In this processing, the
value of member is used to get message data, however this can bring invalid
memory access in 'skl_set_module_params()' as a result of calculation of
a pointer for actual message data.

(sound/soc/intel/skylake/skl-topology.c)
skl_tplg_init_pipe_modules()
->skl_tplg_set_module_init_data() (has this bug)
->skl_tplg_set_module_params()
  (sound/soc/intel/skylake/skl-messages.c)
  ->skl_set_module_params()
    ((char *)param) + data_offset

This commit fixes the bug.

Cc: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: <stable@vger.kernel.org> # v4.5+
Fixes: abb740033b56 ("ASoC: Intel: Skylake: Add support to configure module params")
Signed-off-by: Takashi Sakamoto <takashi.sakamoto@miraclelinux.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
---
 sound/soc/intel/skylake/skl-topology.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/intel/skylake/skl-topology.c b/sound/soc/intel/skylake/skl-topology.c
index ed58b5b..2dbfb1b 100644
--- a/sound/soc/intel/skylake/skl-topology.c
+++ b/sound/soc/intel/skylake/skl-topology.c
@@ -512,7 +512,7 @@ static int skl_tplg_set_module_init_data(struct snd_soc_dapm_widget *w)
 			if (bc->set_params != SKL_PARAM_INIT)
 				continue;
 
-			mconfig->formats_config.caps = (u32 *)&bc->params;
+			mconfig->formats_config.caps = (u32 *)bc->params;
 			mconfig->formats_config.caps_size = bc->size;
 
 			break;