Skip to content

module_adapter: validate config sizes and isolate per-instance state #10920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lgirdwood wants to merge 3 commits into
base: main
Choose a base branch
from
+31 −5
Open

module_adapter: validate config sizes and isolate per-instance state #10920

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7eb2414
cadence: validate init payload covers the direction field
lrgirdwo Jun 11, 2026
6890f78
waves: check remaining size before reading a tlv header
lrgirdwo Jun 11, 2026
0c0e552
module_adapter: make fragmented-transfer size per-instance
lrgirdwo Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion src/audio/module_adapter/module/cadence_ipc4.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,7 +265,14 @@ static int cadence_codec_init(struct processing_module *mod)
setup_cfg->avail = true;
codec->cfg.avail = false;

/* direction follows the codec params in init data */
/* direction follows the codec params in init data; make sure the
* payload is large enough to hold it before dereferencing
*/
if (size < (int)(sizeof(struct snd_codec) + sizeof(uint32_t))) {
comp_err(dev, "setup config too small for direction: %d", size);
ret = -EINVAL;
goto free_cfg;
}
init_bytes = (uint8_t *)ext_data->module_data;
cd->direction = *(uint32_t *)(init_bytes + sizeof(struct snd_codec));
Comment on lines 276 to 277

Expand Down
9 changes: 9 additions & 0 deletions src/audio/module_adapter/module/waves/waves.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -612,6 +612,15 @@ static int waves_effect_apply_config(struct processing_module *mod)
for (index = 0; index < cfg->size && (!ret); param_number++) {
uint32_t param_data_size;

/* make sure a whole param header remains before reading
* param->size / param->id below
*/
if (index + header_size > cfg->size) {
comp_err(dev, "module_param header exceeds cfg buffer size: %d",
cfg->size);
return -EINVAL;
}
Comment on lines +618 to +622

param = (struct module_param *)((char *)cfg->data + index);
param_data_size = param->size - sizeof(param->size) - sizeof(param->id);

Expand Down
12 changes: 8 additions & 4 deletions src/audio/module_adapter/module_adapter_ipc3.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,21 +184,25 @@ static int module_adapter_get_set_params(struct comp_dev *dev, struct sof_ipc_ct
const struct module_interface *const interface = mod->dev->drv->adapter_ops;
enum module_cfg_fragment_position pos;
uint32_t data_offset_size;
static uint32_t size;
/* per-instance reassembly size; a file-scope static would be shared
* across all module_adapter components and corrupted by interleaved
* fragmented transfers
*/
uint32_t *size = &mod->runtime_params_size;

comp_dbg(dev, "num_of_elem %d, elem remain %d msg_index %u",
cdata->num_elems, cdata->elems_remaining, cdata->msg_index);

/* set the fragment position, data offset and config data size */
if (!cdata->msg_index) {
size = cdata->num_elems + cdata->elems_remaining;
data_offset_size = size;
*size = cdata->num_elems + cdata->elems_remaining;
data_offset_size = *size;
if (cdata->elems_remaining)
pos = MODULE_CFG_FRAGMENT_FIRST;
else
pos = MODULE_CFG_FRAGMENT_SINGLE;
} else {
data_offset_size = size - (cdata->num_elems + cdata->elems_remaining);
data_offset_size = *size - (cdata->num_elems + cdata->elems_remaining);
if (cdata->elems_remaining)
pos = MODULE_CFG_FRAGMENT_MIDDLE;
else
Expand Down
6 changes: 6 additions & 0 deletions src/include/module/module/base.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,12 @@ struct processing_module {
uint32_t deep_buff_bytes; /**< copy start threshold */
uint32_t output_buffer_size; /**< size of local buffer to save produced samples */

/* total size of a fragmented runtime-params (get/set) transfer, kept
* per instance so concurrent transfers to different components do not
* corrupt each other's reassembly state
*/
uint32_t runtime_params_size;
Comment on lines +121 to +125

/* number of sinks / sources and (when in use) input_buffers / input_buffers */
uint32_t num_of_sources;
uint32_t num_of_sinks;
Expand Down
Loading