From patchwork Wed Feb 3 12:29:44 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vinod Koul X-Patchwork-Id: 8201721 Return-Path: X-Original-To: patchwork-alsa-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id B5F0A9F1C0 for ; Wed, 3 Feb 2016 12:27:14 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F39432025B for ; Wed, 3 Feb 2016 12:27:13 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.kernel.org (Postfix) with ESMTP id 1226420279 for ; Wed, 3 Feb 2016 12:27:13 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id 66583265B6D; Wed, 3 Feb 2016 13:27:08 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_DNS_FOR_FROM, RCVD_IN_DNSWL_NONE,UNPARSEABLE_RELAY autolearn=no version=3.3.1 Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id D129D2616C9; Wed, 3 Feb 2016 13:26:36 +0100 (CET) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id EC0E0261740; Wed, 3 Feb 2016 13:26:35 +0100 (CET) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by alsa0.perex.cz (Postfix) with ESMTP id C116D26066D for ; Wed, 3 Feb 2016 13:26:28 +0100 (CET) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga103.jf.intel.com with ESMTP; 03 Feb 2016 04:26:28 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.22,390,1449561600"; d="scan'208";a="895479342" Received: from vkoul-udesk7.iind.intel.com ([10.223.84.39]) by fmsmga001.fm.intel.com with ESMTP; 03 Feb 2016 04:26:25 -0800 From: Vinod Koul To: alsa-devel@alsa-project.org Date: Wed, 3 Feb 2016 17:59:44 +0530 Message-Id: <1454502594-21700-2-git-send-email-vinod.koul@intel.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1454502594-21700-1-git-send-email-vinod.koul@intel.com> References: <1454502594-21700-1-git-send-email-vinod.koul@intel.com> Cc: liam.r.girdwood@linux.intel.com, patches.audio@intel.com, broonie@kernel.org, Vinod Koul Subject: [alsa-devel] [PATCH 01/11] ASoC: Intel: Skylake: Fix the memory overwrite of tlv buffer X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP TLV buffer can be smaller than the module data, so update the size of data to be copied before doing the copy. Also TLV header consists of two unsigned ints, this is also taken into account here and size modified to reflect this Suggested-by: Takashi Iwai Signed-off-by: Vinod Koul --- sound/soc/intel/skylake/skl-topology.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sound/soc/intel/skylake/skl-topology.c b/sound/soc/intel/skylake/skl-topology.c index 4624556f486d..d1ddfdac22fe 100644 --- a/sound/soc/intel/skylake/skl-topology.c +++ b/sound/soc/intel/skylake/skl-topology.c @@ -916,6 +916,13 @@ static int skl_tplg_tlv_control_get(struct snd_kcontrol *kcontrol, skl_get_module_params(skl->skl_sst, (u32 *)bc->params, bc->max, bc->param_id, mconfig); + /* decrement size for TLV header */ + size -= 2 * sizeof(u32); + + /* check size as we don't want to send kernel data */ + if (size > bc->max) + size = bc->max; + if (bc->params) { if (copy_to_user(data, &bc->param_id, sizeof(u32))) return -EFAULT;