Commit 23ae34e0 authored by Cezary Rojewski's avatar Cezary Rojewski Committed by Mark Brown

ASoC: Intel: avs: Fix potential RX buffer overflow

If an event caused firmware to return invalid RX size for
LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes.
Fix by utilizing min_t().
Reported-by: default avatarCoolStar <coolstarorganization@gmail.com>
Fixes: f14a1c5a ("ASoC: Intel: avs: Add module management requests")
Signed-off-by: default avatarCezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20221010121955.718168-3-cezary.rojewski@intel.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
parent 83375566
...@@ -192,7 +192,8 @@ static void avs_dsp_receive_rx(struct avs_dev *adev, u64 header) ...@@ -192,7 +192,8 @@ static void avs_dsp_receive_rx(struct avs_dev *adev, u64 header)
/* update size in case of LARGE_CONFIG_GET */ /* update size in case of LARGE_CONFIG_GET */
if (msg.msg_target == AVS_MOD_MSG && if (msg.msg_target == AVS_MOD_MSG &&
msg.global_msg_type == AVS_MOD_LARGE_CONFIG_GET) msg.global_msg_type == AVS_MOD_LARGE_CONFIG_GET)
ipc->rx.size = msg.ext.large_config.data_off_size; ipc->rx.size = min_t(u32, AVS_MAILBOX_SIZE,
msg.ext.large_config.data_off_size);
memcpy_fromio(ipc->rx.data, avs_uplink_addr(adev), ipc->rx.size); memcpy_fromio(ipc->rx.data, avs_uplink_addr(adev), ipc->rx.size);
trace_avs_msg_payload(ipc->rx.data, ipc->rx.size); trace_avs_msg_payload(ipc->rx.data, ipc->rx.size);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment