During testing John Stultz and Amit reported few array our bound issues
after enabling bound sanitizer
This patch series attempts to fix those!
changes since v1:
- make sure the wcd is not de-referenced without intialization
Srinivas Kandagatla (3):
ASoC: qcom: sdm845: Fix array out of bounds access
ASoC: qcom: sdm845: Fix array out of range on rx slim channels
ASoC: codecs: wcd934x: add a sanity check in set channel map
sound/soc/codecs/wcd934x.c | 6 ++++++
sound/soc/qcom/sdm845.c | 6 +++---
2 files changed, 9 insertions(+), 3 deletions(-)
--
2.21.0
Static analysis Coverity had detected a potential array out-of-bounds
write issue due to the fact that MAX AFE port Id was set to 16 instead
of using AFE_PORT_MAX macro.
Fix this by properly using AFE_PORT_MAX macro.
Fixes: 1b93a8843147 ("ASoC: qcom: sdm845: handle soundwire stream")
Reported-by: John Stultz <[email protected]>
Signed-off-by: Srinivas Kandagatla <[email protected]>
---
sound/soc/qcom/sdm845.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/qcom/sdm845.c b/sound/soc/qcom/sdm845.c
index 6c2760e27ea6..1e2c2d0902ea 100644
--- a/sound/soc/qcom/sdm845.c
+++ b/sound/soc/qcom/sdm845.c
@@ -33,12 +33,12 @@
struct sdm845_snd_data {
struct snd_soc_jack jack;
bool jack_setup;
- bool stream_prepared[SLIM_MAX_RX_PORTS];
+ bool stream_prepared[AFE_PORT_MAX];
struct snd_soc_card *card;
uint32_t pri_mi2s_clk_count;
uint32_t sec_mi2s_clk_count;
uint32_t quat_tdm_clk_count;
- struct sdw_stream_runtime *sruntime[SLIM_MAX_RX_PORTS];
+ struct sdw_stream_runtime *sruntime[AFE_PORT_MAX];
};
static unsigned int tdm_slot_offset[8] = {0, 4, 8, 12, 16, 20, 24, 28};
--
2.21.0
set channel map can be passed with a channel maps, however if
the number of channels that are passed are more than the actual
supported channels then we would be accessing array out of bounds.
So add a sanity check to validate these numbers!
Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec")
Reported-by: John Stultz <[email protected]>
Signed-off-by: Srinivas Kandagatla <[email protected]>
---
Changes since v1:
- make sure the wcd is not de-referenced without intialization
sound/soc/codecs/wcd934x.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c
index 40f682f5dab8..d18ae5e3ee80 100644
--- a/sound/soc/codecs/wcd934x.c
+++ b/sound/soc/codecs/wcd934x.c
@@ -1873,6 +1873,12 @@ static int wcd934x_set_channel_map(struct snd_soc_dai *dai,
wcd = snd_soc_component_get_drvdata(dai->component);
+ if (tx_num > WCD934X_TX_MAX || rx_num > WCD934X_RX_MAX) {
+ dev_err(wcd->dev, "Invalid tx %d or rx %d channel count\n",
+ tx_num, rx_num);
+ return -EINVAL;
+ }
+
if (!tx_slot || !rx_slot) {
dev_err(wcd->dev, "Invalid tx_slot=%p, rx_slot=%p\n",
tx_slot, rx_slot);
--
2.21.0
WCD934x has only 13 RX SLIM ports however we are setting it as 16
in set_channel_map, this will lead to array out of bounds error!
Orignally caught by enabling USBAN array out of bounds check:
Fixes: 5caf64c633a3 ("ASoC: qcom: sdm845: add support to DB845c and Lenovo Yoga")
Reported-by: John Stultz <[email protected]>
Signed-off-by: Srinivas Kandagatla <[email protected]>
---
sound/soc/qcom/sdm845.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/qcom/sdm845.c b/sound/soc/qcom/sdm845.c
index 1e2c2d0902ea..153e9b2de0b5 100644
--- a/sound/soc/qcom/sdm845.c
+++ b/sound/soc/qcom/sdm845.c
@@ -27,7 +27,7 @@
#define SPK_TDM_RX_MASK 0x03
#define NUM_TDM_SLOTS 8
#define SLIM_MAX_TX_PORTS 16
-#define SLIM_MAX_RX_PORTS 16
+#define SLIM_MAX_RX_PORTS 13
#define WCD934X_DEFAULT_MCLK_RATE 9600000
struct sdm845_snd_data {
--
2.21.0
On Tue, 9 Mar 2021 14:21:26 +0000, Srinivas Kandagatla wrote:
> During testing John Stultz and Amit reported few array our bound issues
> after enabling bound sanitizer
>
> This patch series attempts to fix those!
>
> changes since v1:
> - make sure the wcd is not de-referenced without intialization
>
> [...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
Thanks!
[1/3] ASoC: qcom: sdm845: Fix array out of bounds access
commit: a5fd5e475655d3830f376e29ca6a7222dc7074cf
[2/3] ASoC: qcom: sdm845: Fix array out of range on rx slim channels
commit: 3ed85d1e1aa53db6fa4398846fbd213a7d87ceac
[3/3] ASoC: codecs: wcd934x: add a sanity check in set channel map
commit: 480c25e7003d0222f64824d4c7afcd274bc66ebd
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark
On Tue, Mar 9, 2021 at 6:21 AM Srinivas Kandagatla
<[email protected]> wrote:
>
> During testing John Stultz and Amit reported few array our bound issues
> after enabling bound sanitizer
>
> This patch series attempts to fix those!
>
> changes since v1:
> - make sure the wcd is not de-referenced without intialization
>
> Srinivas Kandagatla (3):
> ASoC: qcom: sdm845: Fix array out of bounds access
> ASoC: qcom: sdm845: Fix array out of range on rx slim channels
> ASoC: codecs: wcd934x: add a sanity check in set channel map
For the whole series:
Tested-by: John Stultz <[email protected]>
Thanks so much for fixing these up so fast!
-john