ASoC: Intel: avs: Fix potential RX buffer overflow

If an event caused firmware to return invalid RX size for LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes. Fix by utilizing min_t(). Reported-by: CoolStar <coolstarorganization@gmail.com> Fixes: f14a1c5a ("ASoC: Intel: avs: Add module management requests") Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com> Link: https://lore.kernel.org/r/20221010121955.718168-3-cezary.rojewski@intel.comSigned-off-by: Mark Brown <broonie@kernel.org>

ASoC: Intel: avs: Fix potential RX buffer overflow
If an event caused firmware to return invalid RX size for LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes. Fix by utilizing min_t(). Reported-by: CoolStar <coolstarorganization@gmail.com> Fixes: f14a1c5a ("ASoC: Intel: avs: Add module management requests") Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com> Link: https://lore.kernel.org/r/20221010121955.718168-3-cezary.rojewski@intel.comSigned-off-by: Mark Brown <broonie@kernel.org>
23ae34e0 · Cezary Rojewski · Mark Brown · 83375566 · 23ae34e0
Commit 23ae34e0 authored Oct 10, 2022 by Cezary Rojewski Committed by Mark Brown Oct 17, 2022
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

sound/soc/intel/avs/ipc.c sound/soc/intel/avs/ipc.c +2 -1

No files found.
--- a/sound/soc/intel/avs/ipc.c
+++ b/sound/soc/intel/avs/ipc.c
@@ -192,7 +192,8 @@ static void avs_dsp_receive_rx(struct avs_dev *adev, u64 header)
 		/* update size in case of LARGE_CONFIG_GET */
 		if (msg.msg_target == AVS_MOD_MSG &&
 		    msg.global_msg_type == AVS_MOD_LARGE_CONFIG_GET)
-			ipc->rx.size = msg.ext.large_config.data_off_size;
+			ipc->rx.size = min_t(u32, AVS_MAILBOX_SIZE,
+					     msg.ext.large_config.data_off_size);

 		memcpy_fromio(ipc->rx.data, avs_uplink_addr(adev), ipc->rx.size);
 		trace_avs_msg_payload(ipc->rx.data, ipc->rx.size);