Message ID | 20230307114917.5124-1-peter.ujfalusi@linux.intel.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 989a3e4479177d0f4afab8be1960731bc0ffbbd0 |
Headers | show |
Series | ASoC: SOF: ipc3: Check for upper size limit for the received message | expand |
On Tue, 07 Mar 2023 13:49:17 +0200, Peter Ujfalusi wrote: > The sof_ipc3_rx_msg() checks for minimum size of a new rx message but it is > missing the check for upper limit. > Corrupted or compromised firmware might be able to take advantage of this > to cause out of bounds reads outside of the message area. > > Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next Thanks! [1/1] ASoC: SOF: ipc3: Check for upper size limit for the received message commit: 989a3e4479177d0f4afab8be1960731bc0ffbbd0 All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c index 3de64ea2dc9a..4493bbd7faf1 100644 --- a/sound/soc/sof/ipc3.c +++ b/sound/soc/sof/ipc3.c @@ -970,8 +970,9 @@ static void sof_ipc3_rx_msg(struct snd_sof_dev *sdev) return; } - if (hdr.size < sizeof(hdr)) { - dev_err(sdev->dev, "The received message size is invalid\n"); + if (hdr.size < sizeof(hdr) || hdr.size > SOF_IPC_MSG_MAX_SIZE) { + dev_err(sdev->dev, "The received message size is invalid: %u\n", + hdr.size); return; }