lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8986a1c6-b546-7a66-a778-048487624c95@linux.intel.com>
Date:   Tue, 19 Apr 2022 14:50:11 +0300
From:   Péter Ujfalusi <peter.ujfalusi@...ux.intel.com>
To:     Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>,
        Sergey Senozhatsky <senozhatsky@...omium.org>,
        Liam Girdwood <liam.r.girdwood@...ux.intel.com>,
        Ranjani Sridharan <ranjani.sridharan@...ux.intel.com>,
        Kai Vehmanen <kai.vehmanen@...ux.intel.com>,
        Jaska Uimonen <jaska.uimonen@...ux.intel.com>
Cc:     alsa-devel@...a-project.org, linux-kernel@...r.kernel.org,
        Takashi Iwai <tiwai@...e.com>,
        Tomasz Figa <tfiga@...omium.org>,
        Mark Brown <broonie@...nel.org>,
        Ricardo Ribalda <ribalda@...omium.org>,
        sound-open-firmware@...a-project.org
Subject: Re: out-of-bounds access in sound/soc/sof/topology.c

Hi Sergey, Pierre,

On 15/04/2022 19:00, Pierre-Louis Bossart wrote:
> Thanks Sergey for this email.
> 
> On 4/15/22 04:23, Sergey Senozhatsky wrote:
>> Hi,
>>
>> I'm running 5.10.111 LTS, so if this has been fixed already then we definitely
>> want to cherry pick the fix for -stable.

I'm afraid, that this is still valid as of today, but in real life I
don't think it can happen.

>> Anonymous union in this struct is of zero size
>>
>> /* generic control data */
>> struct sof_ipc_ctrl_data {
>>         struct sof_ipc_reply rhdr;
>>         uint32_t comp_id;
>>
>>         /* control access and data type */
>>         uint32_t type;          /**< enum sof_ipc_ctrl_type */
>>         uint32_t cmd;           /**< enum sof_ipc_ctrl_cmd */
>>         uint32_t index;         /**< control index for comps > 1 control */
>>
>>         /* control data - can either be appended or DMAed from host */
>>         struct sof_ipc_host_buffer buffer;
>>         uint32_t num_elems;     /**< in array elems or bytes for data type */
>>         uint32_t elems_remaining;       /**< elems remaining if sent in parts */
>>
>>         uint32_t msg_index;     /**< for large messages sent in parts */
>>
>>         /* reserved for future use */
>>         uint32_t reserved[6];
>>
>>         /* control data - add new types if needed */
>>         union {
>>                 /* channel values can be used by volume type controls */
>>                 struct sof_ipc_ctrl_value_chan chanv[0];
>>                 /* component values used by routing controls like mux, mixer */
>>                 struct sof_ipc_ctrl_value_comp compv[0];
>>                 /* data can be used by binary controls */
>>                 struct sof_abi_hdr data[0];
>>         };
>> } __packed;
>>
>> sof_ipc_ctrl_value_chan and sof_ipc_ctrl_value_comp are of the same
>> size - 8 bytes, while sof_abi_hdr is much larger - _at least_ 32 bytes
>> (`__u32 data[0]` in sof_abi_hdr suggest that there should be more
>> payload after header). But they all contribute 0 to sizeof(sof_ipc_ctrl_data).
>>
>> Now control data allocations looks as follows
>>
>> 	scontrol->size = struct_size(scontrol->control_data, chanv,
>> 				     le32_to_cpu(mc->num_channels));
>> 	scontrol->control_data = kzalloc(scontrol->size, GFP_KERNEL);
>>
>> Which is sizeof(sof_ipc_ctrl_data) + mc->num_channels * sizeof(sof_ipc_ctrl_value_chan)
>>
>> For some reason it uses sizeof(sof_ipc_ctrl_value_chan), which is not
>> the largest member of the union.
>>
>> And this is where the problem is: in order to make control->data.FOO loads
>> and stores legal we need mc->num_channels to be of at least 4. So that
>>
>>    sizeof(sof_ipc_ctrl_data) + mc->num_channels * sizeof(sof_ipc_ctrl_value_chan)
>>
>>                 92           +        4         *            8
>>
>> will be the same as
>>
>>    sizeof(sof_ipc_ctrl_data) + sizeof(sof_abi_hdr).
>>
>>                 92           +           32
>>
>> Otherwise scontrol->control_data->data.FOO will access nearby/foreign
>> slab object.
>>
>> And there is at least one such memory access. In sof_get_control_data().
>>
>> 	wdata[i].pdata = wdata[i].control->control_data->data;
>> 	*size += wdata[i].pdata->size;
>>
>>
>> pdata->size is at offset 8, but if, say, mc->num_channels == 1 then
>> we allocate only 8 bytes for pdata, so pdata->size is 4 bytes outside
>> of allocated slab object.
>>
>> Thoughts?

Your analyzes are spot on, unfortunately. But...

As of today, the sof_get_control_data() is in the call path of
(ipc3-topology.c):

sof_widget_update_ipc_comp_process() -> sof_process_load() ->
sof_get_control_data()

sof_widget_update_ipc_comp_process() is the ipc_setup callback for
snd_soc_dapm_effect. If I'm not mistaken these only carries bin payload
and never MIXER/ENUM/SWITCH/VOLUME.
This means that the sof_get_control_data() is only called with
SND_SOC_TPLG_TYPE_BYTES and for that the allocated data area is correct.

This can explain why we have not seen any issues so far. This does not
renders the code right, as how it is written atm is wrong.

> The SOF contributors who wrote that code are all on an extended Easter week-end or vacation so we'll need more time to provide a definitive answer.
> 
> I am far from an expert on the topology, but I note that the 'data' field is only used for binary controls, where we use the maximum possible size for a control, without any arithmetic involving channels. It makes sense to me, the binary data does not have any defined structure, it's just a bunch of bytes provided as is to the firmware.
> 
> static int sof_ipc3_control_load_bytes(struct snd_sof_dev *sdev, struct snd_sof_control *scontrol)
> {
> 	struct sof_ipc_ctrl_data *cdata;
> 	int ret;
> 
> 	scontrol->ipc_control_data = kzalloc(scontrol->max_size, GFP_KERNEL);
> 	if (!scontrol->ipc_control_data)
> 		return -ENOMEM;
> 
> 
> In other cases, such as volumes and enums, the 'data' field doesn't seem to be used but we do use the channel information for volume and enums.
> 
> static int sof_ipc3_control_load_volume(struct snd_sof_dev *sdev, struct snd_sof_control *scontrol)
> {
> 	struct sof_ipc_ctrl_data *cdata;
> 	int i;
> 
> 	/* init the volume get/put data */
> 	scontrol->size = struct_size(cdata, chanv, scontrol->num_channels);
> 
> 	scontrol->ipc_control_data = kzalloc(scontrol->size, GFP_KERNEL);
> 
> 
> static int sof_ipc3_control_load_enum(struct snd_sof_dev *sdev, struct snd_sof_control *scontrol)
> {
> 	struct sof_ipc_ctrl_data *cdata;
> 
> 	/* init the enum get/put data */
> 	scontrol->size = struct_size(cdata, chanv, scontrol->num_channels);
> 
> 	scontrol->ipc_control_data = kzalloc(scontrol->size, GFP_KERNEL);
> 	if (!scontrol->ipc_control_data)
> 
> 
> Given that we have two ways of allocating the memory, I am not sure there is a problem, but I could be wrong.
> 
> I checked the v5.10.111 code and I see the same code, with the max_size being used for sof_control_load_bytes() and no channel-based arithmetic.

I agree that the issue can not be triggered due to the nature of how
things are working.

> Can I ask how you found out about this problem, is this the result of a warning/error reported by a software tool or based on your reviews of the code?
> 
> Thanks
> -Pierre
> 

-- 
Péter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ