[v2] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup

Message ID	20210125104442.135899-1-stephan@gerhold.net
State	Accepted
Commit	70041000450d0a071bf9931d634c8e2820340236
Headers	show Return-Path: <SRS0=LtCP=G4=alsa-project.org=alsa-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 581642251D From: Stephan Gerhold <stephan@gerhold.net> To: Mark Brown <broonie@kernel.org> Subject: [PATCH v2] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup Date: Mon, 25 Jan 2021 11:44:42 +0100 Message-Id: <20210125104442.135899-1-stephan@gerhold.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Cc: alsa-devel@alsa-project.org, Banajit Goswami <bgoswami@codeaurora.org>, Srinivasa Rao Mandadapu <srivasam@codeaurora.org>, Stephan Gerhold <stephan@gerhold.net>, Liam Girdwood <lgirdwood@gmail.com>, Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Precedence: list Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>
Series	[v2] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup \| expand [v2] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup

Message ID

20210125104442.135899-1-stephan@gerhold.net

State

Accepted

Commit

70041000450d0a071bf9931d634c8e2820340236

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 581642251D
From: Stephan Gerhold <stephan@gerhold.net>
To: Mark Brown <broonie@kernel.org>
Subject: [PATCH v2] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup
Date: Mon, 25 Jan 2021 11:44:42 +0100
Message-Id: <20210125104442.135899-1-stephan@gerhold.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Cc: alsa-devel@alsa-project.org, Banajit Goswami <bgoswami@codeaurora.org>, 
	Srinivasa Rao Mandadapu <srivasam@codeaurora.org>,
	Stephan Gerhold <stephan@gerhold.net>,
	Liam Girdwood <lgirdwood@gmail.com>, 
	Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Precedence: list
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>

Series

[v2] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup | expand

Commit Message

Stephan Gerhold Jan. 25, 2021, 10:44 a.m. UTC

The "dai_id" given into LPAIF_INTFDMA_REG(...) is already the real
DAI ID, not an index into v->dai_driver. Looking it up again seems
entirely redundant.

For IPQ806x (and SC7180 since commit 09a4f6f5d21c
("ASoC: dt-bindings: lpass: Fix and common up lpass dai ids") this is
now often an out-of-bounds read because the indexes in the "dai_driver"
array no longer match the actual DAI ID.

Cc: Srinivasa Rao Mandadapu <srivasam@codeaurora.org>
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Fixes: 7cb37b7bd0d3 ("ASoC: qcom: Add support for lpass hdmi driver")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
---
Changes in v2:
  - Extracted from https://lore.kernel.org/alsa-devel/20210114094615.58191-2-stephan@gerhold.net/
  - Change commit message to clarify that this is usually not just
    redundant now but actually a broken out-of-bounds lookup.
---
 sound/soc/qcom/lpass-lpaif-reg.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Srinivas Kandagatla Jan. 25, 2021, 11:01 a.m. UTC | #1

On 25/01/2021 10:44, Stephan Gerhold wrote:
> The "dai_id" given into LPAIF_INTFDMA_REG(...) is already the real
> DAI ID, not an index into v->dai_driver. Looking it up again seems
> entirely redundant.
> 
> For IPQ806x (and SC7180 since commit 09a4f6f5d21c
> ("ASoC: dt-bindings: lpass: Fix and common up lpass dai ids") this is
> now often an out-of-bounds read because the indexes in the "dai_driver"
> array no longer match the actual DAI ID.
> 
> Cc: Srinivasa Rao Mandadapu <srivasam@codeaurora.org>
> Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
> Fixes: 7cb37b7bd0d3 ("ASoC: qcom: Add support for lpass hdmi driver")
> Signed-off-by: Stephan Gerhold <stephan@gerhold.net>

Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

> ---
> Changes in v2:
>    - Extracted from https://lore.kernel.org/alsa-devel/20210114094615.58191-2-stephan@gerhold.net/
>    - Change commit message to clarify that this is usually not just
>      redundant now but actually a broken out-of-bounds lookup.
> ---
>   sound/soc/qcom/lpass-lpaif-reg.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/soc/qcom/lpass-lpaif-reg.h b/sound/soc/qcom/lpass-lpaif-reg.h
> index 405542832e99..baf72f124ea9 100644
> --- a/sound/soc/qcom/lpass-lpaif-reg.h
> +++ b/sound/soc/qcom/lpass-lpaif-reg.h
> @@ -133,7 +133,7 @@
>   #define	LPAIF_WRDMAPERCNT_REG(v, chan)	LPAIF_WRDMA_REG_ADDR(v, 0x14, (chan))
>   
>   #define LPAIF_INTFDMA_REG(v, chan, reg, dai_id)  \
> -		((v->dai_driver[dai_id].id ==  LPASS_DP_RX) ? \
> +	((dai_id ==  LPASS_DP_RX) ? \
>   		LPAIF_HDMI_RDMA##reg##_REG(v, chan) : \
>   		 LPAIF_RDMA##reg##_REG(v, chan))
>   
>

diff --git a/sound/soc/qcom/lpass-lpaif-reg.h b/sound/soc/qcom/lpass-lpaif-reg.h
index 405542832e99..baf72f124ea9 100644
--- a/sound/soc/qcom/lpass-lpaif-reg.h
+++ b/sound/soc/qcom/lpass-lpaif-reg.h
@@ -133,7 +133,7 @@ 
 #define	LPAIF_WRDMAPERCNT_REG(v, chan)	LPAIF_WRDMA_REG_ADDR(v, 0x14, (chan))
 
 #define LPAIF_INTFDMA_REG(v, chan, reg, dai_id)  \
-		((v->dai_driver[dai_id].id ==  LPASS_DP_RX) ? \
+	((dai_id ==  LPASS_DP_RX) ? \
 		LPAIF_HDMI_RDMA##reg##_REG(v, chan) : \
 		 LPAIF_RDMA##reg##_REG(v, chan))

[v2] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup

Commit Message

Comments

Patch