There are two bugs that have to do with when we copy the payload:
size = simple_write_to_buffer(ipc4_msg->data_ptr,
priv->max_msg_size, ppos, buffer,
count);
The value of "*ppos" was supposed to be zero but it is
sizeof(ipc4_msg->header_u64) so it will copy the data into the middle of
the "ipc4_msg->data_ptr" buffer instead of to the start. The second
problem is "buffer" should be "buffer + sizeof(ipc4_msg->header_u64)".
This function is used for fuzz testing so the data is normally random
and this bug likely does not affect anyone very much.
In this context, it's simpler and more appropriate to use copy_from_user()
instead of simple_write_to_buffer() so I have re-written the function.
Fixes: 066c67624d ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/Ysg1tB2FKLnRMsel@kili
Signed-off-by: Mark Brown <broonie@kernel.org>
This code is supposed to propagate errors from simple_write_to_buffer()
or return -EFAULT if "size != count". However "size" needs to be signed
for the code to work correctly and the case where "size == 0" is not
handled correctly.
Fixes: 066c67624d ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages")
Fixes: 2f0b1b013b ("ASoC: SOF: debug: Add support for IPC message injection")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://lore.kernel.org/r/Yph+Cd+JrfOH0i7z@kili
Signed-off-by: Mark Brown <broonie@kernel.org>
If user space provides smaller buffer than the IPC4 reply then it is
possible that we corrupt user space memory since the IPC4 dfs_read function
is not using the count directly in copy_to_user() due to the nature of
an IPC4 message.
Cap the remaining counter to make sure that we are not writing too much to
the user space provided buffer.
Add a check also to make sure that the buffer is at least the size of the
IPC4 header.
Fixes: 066c67624d: "ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://lore.kernel.org/r/20220516092442.17027-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
