tplg_parser: reject process priv blob smaller than abi header#10939
Open
jmestwa-coder wants to merge 1 commit into
Open
tplg_parser: reject process priv blob smaller than abi header#10939jmestwa-coder wants to merge 1 commit into
jmestwa-coder wants to merge 1 commit into
Conversation
process_append_data3() subtracts sizeof(struct sof_abi_hdr) from the host-supplied priv.size as a size_t. A bytes control declaring priv.size below the ABI header underflows size, and the ipc_size check wraps along with it and passes, so the memcpy overruns process_ipc. Reject the undersized blob before the subtraction. Signed-off-by: jmestwa-coder <jmestwa@gmail.com>
Collaborator
|
Can one of the admins verify this patch?
|
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes an integer underflow in the IPC3 process-widget private data handling in the topology parser by rejecting priv.size values smaller than the ABI header before subtracting sizeof(struct sof_abi_hdr).
Changes:
- Add an early validation in
process_append_data3()to rejectbytes_ctl->priv.size < sizeof(struct sof_abi_hdr)and return-EINVAL. - Prevent
size_tunderflow that could otherwise bypass the existingipc_size > max_process_sizecheck and lead to an out-of-boundsmemcpy().
lgirdwood
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Integer underflow in the topology process-widget parser:
Reject priv.size below sizeof(struct sof_abi_hdr) before the subtraction.