Upstream: Patch 9/14: loader size/alignment issues

[plbossart]

feedback from Takashi Iwai

> +/* generic module parser for mmaped DSPs */
> +int snd_sof_parse_module_memcpy(struct snd_sof_dev *sdev,
> +				struct snd_sof_mod_hdr *module)
> +{
> +	struct snd_sof_blk_hdr *block;
> +	int count;
> +	u32 offset;
> +
> +	dev_dbg(sdev->dev, "new module size 0x%x blocks 0x%x type 0x%x\n",
> +		module->size, module->num_blocks, module->type);
> +
> +	block = (void *)module + sizeof(*module);
> +
> +	for (count = 0; count < module->num_blocks; count++) {

Need a sanity check that it won't go beyond the actual firmware size.
User may pass a malicious module data, e.g. with extra large
num_blocks.

> +		switch (block->type) {
> +		case SOF_BLK_IMAGE:
> +		case SOF_BLK_CACHE:
> +		case SOF_BLK_REGS:
> +		case SOF_BLK_SIG:
> +		case SOF_BLK_ROM:
> +			continue;	/* not handled atm */
> +		case SOF_BLK_TEXT:
> +		case SOF_BLK_DATA:
> +			offset = block->offset;
> +			break;
> +		default:
> +			dev_err(sdev->dev, "error: bad type 0x%x for block 0x%x\n",
> +				block->type, count);
> +			return -EINVAL;
> +		}
> +
> +		dev_dbg(sdev->dev,
> +			"block %d type 0x%x size 0x%x ==>  offset 0x%x\n",
> +			count, block->type, block->size, offset);
> +
> +		snd_sof_dsp_block_write(sdev, offset,
> +					(void *)block + sizeof(*block),
> +					block->size);
> +
> +		/* next block */
> +		block = (void *)block + sizeof(*block) + block->size;

This may lead to an unaligned access.
Also how is the endianess guaranteed?

[plbossart]

missed the second part of the issues

> +		/* next block */
> +		block = (void *)block + sizeof(*block) + block->size;

This may lead to an unaligned access.
Also how is the endianess guaranteed?

[bardliao]

@plbossart @lgirdwood From the discussion on alsa-devel mailing list, I will check if block->size is divisible by 4 in kernel side. Before that, I will send a PR on firmware side to ensure the block->size is multiple of 4.