ASoC: SOF: ipc3: Check for upper size limit for the received message

ujfalusi · broonie · commit 989a3e447917 · 2023-03-07T13:57:55.000Z
The sof_ipc3_rx_msg() checks for minimum size of a new rx message but it is missing the check for upper limit. Corrupted or compromised firmware might be able to take advantage of this to cause out of bounds reads outside of the message area. Reported-by: Curtis Malainey <cujomalainey@chromium.org> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Reviewed-by: Curtis Malainey <curtis@malainey.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Link: https://lore.kernel.org/r/20230307114917.5124-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown <broonie@kernel.org>
diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c
@@ -970,8 +970,9 @@ static void sof_ipc3_rx_msg(struct snd_sof_dev *sdev)
 		return;
 	}
 
-	if (hdr.size < sizeof(hdr)) {
-		dev_err(sdev->dev, "The received message size is invalid\n");
+	if (hdr.size < sizeof(hdr) || hdr.size > SOF_IPC_MSG_MAX_SIZE) {
+		dev_err(sdev->dev, "The received message size is invalid: %u\n",
+			hdr.size);
 		return;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -970,8 +970,9 @@ static void sof_ipc3_rx_msg(struct snd_sof_dev *sdev)`
`970`	`970`	`return;`
`971`	`971`	`}`
`972`	`972`
`973`		`- if (hdr.size < sizeof(hdr)) {`
`974`		`- dev_err(sdev->dev, "The received message size is invalid\n");`
	`973`	`+ if (hdr.size < sizeof(hdr) \|\| hdr.size > SOF_IPC_MSG_MAX_SIZE) {`
	`974`	`+ dev_err(sdev->dev, "The received message size is invalid: %u\n",`
	`975`	`+ hdr.size);`
`975`	`976`	`return;`
`976`	`977`	`}`
`977`	`978`