diff mbox series

[2/2] soundwire: qcom: gracefully handle too many ports in DT

Message ID 20230222144412.237832-2-krzysztof.kozlowski@linaro.org (mailing list archive)
State New, archived
Headers show
Series [1/2] soundwire: qcom: define hardcoded version magic numbers | expand

Commit Message

Krzysztof Kozlowski Feb. 22, 2023, 2:44 p.m. UTC 
There are two issues related to the number of ports coming from
Devicetree when exceeding in total QCOM_SDW_MAX_PORTS.  Both lead to
incorrect memory accesses:
1. With DTS having too big value of input or output ports, the driver,
   when copying port parameters from local/stack arrays into 'pconfig'
   array in 'struct qcom_swrm_ctrl', will iterate over their sizes.

2. If DTS also has too many parameters for these ports (e.g.
   qcom,ports-sinterval-low), the driver will overflow buffers on the
   stack when reading these properties from DTS.

Add a sanity check so incorrect DTS will not cause kernel memory
corruption.

Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
---
 drivers/soundwire/qcom.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Konrad Dybcio Feb. 22, 2023, 2:47 p.m. UTC | #1 
On 22.02.2023 15:44, Krzysztof Kozlowski wrote:
> There are two issues related to the number of ports coming from
> Devicetree when exceeding in total QCOM_SDW_MAX_PORTS.  Both lead to
> incorrect memory accesses:
> 1. With DTS having too big value of input or output ports, the driver,
>    when copying port parameters from local/stack arrays into 'pconfig'
>    array in 'struct qcom_swrm_ctrl', will iterate over their sizes.
> 
> 2. If DTS also has too many parameters for these ports (e.g.
>    qcom,ports-sinterval-low), the driver will overflow buffers on the
>    stack when reading these properties from DTS.
> 
> Add a sanity check so incorrect DTS will not cause kernel memory
> corruption.
> 
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
> ---
Fixes: 02efb49aa805 ("soundwire: qcom: add support for SoundWire controller")

Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>

Konrad
>  drivers/soundwire/qcom.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
> index 79bebcecde6d..c296e0bf897b 100644
> --- a/drivers/soundwire/qcom.c
> +++ b/drivers/soundwire/qcom.c
> @@ -1218,6 +1218,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl)
>  	ctrl->num_dout_ports = val;
>  
>  	nports = ctrl->num_dout_ports + ctrl->num_din_ports;
> +	if (nports > QCOM_SDW_MAX_PORTS)
> +		return -EINVAL;
> +
>  	/* Valid port numbers are from 1-14, so mask out port 0 explicitly */
>  	set_bit(0, &ctrl->dout_port_mask);
>  	set_bit(0, &ctrl->din_port_mask);
Krzysztof Kozlowski Feb. 22, 2023, 2:50 p.m. UTC | #2 
On 22/02/2023 15:47, Konrad Dybcio wrote:
> 
> 
> On 22.02.2023 15:44, Krzysztof Kozlowski wrote:
>> There are two issues related to the number of ports coming from
>> Devicetree when exceeding in total QCOM_SDW_MAX_PORTS.  Both lead to
>> incorrect memory accesses:
>> 1. With DTS having too big value of input or output ports, the driver,
>>    when copying port parameters from local/stack arrays into 'pconfig'
>>    array in 'struct qcom_swrm_ctrl', will iterate over their sizes.
>>
>> 2. If DTS also has too many parameters for these ports (e.g.
>>    qcom,ports-sinterval-low), the driver will overflow buffers on the
>>    stack when reading these properties from DTS.
>>
>> Add a sanity check so incorrect DTS will not cause kernel memory
>> corruption.
>>
>> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
>> ---
> Fixes: 02efb49aa805 ("soundwire: qcom: add support for SoundWire controller")

Can be... but is it really a bug of the kernel? Issue is visible with
incorrect DTS and it's not the kernel's job to fix it. If DTS has
incorrect values (e.g. IO addresses) system won't work anyway and that's
the same type of bug.

Best regards,
Krzysztof
Konrad Dybcio Feb. 22, 2023, 2:53 p.m. UTC | #3 
On 22.02.2023 15:50, Krzysztof Kozlowski wrote:
> On 22/02/2023 15:47, Konrad Dybcio wrote:
>>
>>
>> On 22.02.2023 15:44, Krzysztof Kozlowski wrote:
>>> There are two issues related to the number of ports coming from
>>> Devicetree when exceeding in total QCOM_SDW_MAX_PORTS.  Both lead to
>>> incorrect memory accesses:
>>> 1. With DTS having too big value of input or output ports, the driver,
>>>    when copying port parameters from local/stack arrays into 'pconfig'
>>>    array in 'struct qcom_swrm_ctrl', will iterate over their sizes.
>>>
>>> 2. If DTS also has too many parameters for these ports (e.g.
>>>    qcom,ports-sinterval-low), the driver will overflow buffers on the
>>>    stack when reading these properties from DTS.
>>>
>>> Add a sanity check so incorrect DTS will not cause kernel memory
>>> corruption.
>>>
>>> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
>>> ---
>> Fixes: 02efb49aa805 ("soundwire: qcom: add support for SoundWire controller")
> 
> Can be... but is it really a bug of the kernel? Issue is visible with
> incorrect DTS and it's not the kernel's job to fix it. If DTS has
> incorrect values (e.g. IO addresses) system won't work anyway and that's
> the same type of bug.
I'm not sure to what extent the kernel should be responsible for
checking DT sanity, but in case of a buffer overflow, I really
think it definitely deserves a fixes tag.

Konrad

> 
> Best regards,
> Krzysztof
>
Srinivas Kandagatla March 15, 2023, 1:55 p.m. UTC | #4 
On 22/02/2023 14:44, Krzysztof Kozlowski wrote:
> There are two issues related to the number of ports coming from
> Devicetree when exceeding in total QCOM_SDW_MAX_PORTS.  Both lead to
> incorrect memory accesses:
> 1. With DTS having too big value of input or output ports, the driver,
>     when copying port parameters from local/stack arrays into 'pconfig'
>     array in 'struct qcom_swrm_ctrl', will iterate over their sizes.
> 
> 2. If DTS also has too many parameters for these ports (e.g.
>     qcom,ports-sinterval-low), the driver will overflow buffers on the
>     stack when reading these properties from DTS.
> 
> Add a sanity check so incorrect DTS will not cause kernel memory
> corruption.
> 
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
> ---


Thanks Krzysztof, it make sense.

Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>


--srini
>   drivers/soundwire/qcom.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
> index 79bebcecde6d..c296e0bf897b 100644
> --- a/drivers/soundwire/qcom.c
> +++ b/drivers/soundwire/qcom.c
> @@ -1218,6 +1218,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl)
>   	ctrl->num_dout_ports = val;
>   
>   	nports = ctrl->num_dout_ports + ctrl->num_din_ports;
> +	if (nports > QCOM_SDW_MAX_PORTS)
> +		return -EINVAL;
> +
>   	/* Valid port numbers are from 1-14, so mask out port 0 explicitly */
>   	set_bit(0, &ctrl->dout_port_mask);
>   	set_bit(0, &ctrl->din_port_mask);
diff mbox series

Patch

diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
index 79bebcecde6d..c296e0bf897b 100644
--- a/drivers/soundwire/qcom.c
+++ b/drivers/soundwire/qcom.c
@@ -1218,6 +1218,9 @@  static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl)
 	ctrl->num_dout_ports = val;
 
 	nports = ctrl->num_dout_ports + ctrl->num_din_ports;
+	if (nports > QCOM_SDW_MAX_PORTS)
+		return -EINVAL;
+
 	/* Valid port numbers are from 1-14, so mask out port 0 explicitly */
 	set_bit(0, &ctrl->dout_port_mask);
 	set_bit(0, &ctrl->din_port_mask);