Skip to content

zephyr: syscall: sof_dma: fixes to dma_config syscall verification#10873

Open
kv2019i wants to merge 3 commits into
thesofproject:mainfrom
kv2019i:202606-dma-blk-deepcopy-fix
Open

zephyr: syscall: sof_dma: fixes to dma_config syscall verification#10873
kv2019i wants to merge 3 commits into
thesofproject:mainfrom
kv2019i:202606-dma-blk-deepcopy-fix

Conversation

@kv2019i

@kv2019i kv2019i commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Series of fixes to sof_dma dma_config syscall verification.

Note that this interface is not yet enabled in any product configuration, so exposure is currently limited.

@kv2019i
zephyr: syscall: sof_dma: handle overflow in deep_copy_dma_blk_cfg_li…
0812ccf 
…st()

deep_copy_dma_blk_cfg_list() is used to verify the syscall
arguments. Fix an issue with possible overflow when calculating
the alloc size for DMA blocks.

Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Copilot AI review requested due to automatic review settings June 11, 2026 10:37
Copilot AI reviewed Jun 11, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the Zephyr userspace syscall validation path for SOF DMA configuration by preventing integer overflow when allocating the kernel-side copy of user-provided DMA block configurations.

Changes:

  • Add size_mul_overflow()-based overflow detection when computing the allocation size for dma_block_config arrays derived from user-controlled block_count.
  • Use the checked alloc_size when calling rmalloc().

kv2019i added 2 commits June 11, 2026 13:45
@kv2019i
zephyr: syscall: sof_dma: initialize all fields of dma_config
8e16b2f 
z_vrfy_sof_dma_config() only passes allowed fields of dma_config
struct to kernel. Add initialization of the stack dma_config object
kern_cfg to ensure the skipped fields are set to a known state.

Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
@kv2019i
zephyr: syscall: sof_dma: fix block count validation in dma blk copy
856ecf3 
deep_copy_dma_blk_cfg_list() does not check that number of entries
in the linked list of DMA blocks matches cfg->block_count. This could
be used to make kernel read from unvalidated user memory.

Fix the issue by limiting list traversal to cfg->block_count.

Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
@kv2019i kv2019i changed the title zephyr: syscall: sof_dma: handle overflow in deep_copy_dma_blk_cfg_li… zephyr: syscall: sof_dma: fixes to dma_config syscall verification Jun 11, 2026
@kv2019i

kv2019i commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator Author

V2:

  • pushed two more fixes

lyakh
lyakh reviewed Jun 12, 2026
View reviewed changes
Comment thread zephyr/syscall/sof_dma.c
kern_next->next_block = NULL;
else
goto err;
}

@lyakh lyakh Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you could remove the if and just put the else block after the loop? Or keep the if to stay correct and avoid a redundant assignment and just move the else out

@kv2019i kv2019i Jun 12, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lyakh worth it? this is not performance critical, so I'd rather keep the logic in the same place inside the for loop. Now it's easy to see that the unsafe "kern_next_block" is overwritten in all cases. It's run only once in either case. If more votes, I can move to outside for loop, agreed it will be functionally the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lyakh lyakh lyakh left review comments

Copilot code review Copilot Copilot left review comments

@lgirdwood lgirdwood lgirdwood approved these changes

@iuliana-prodan iuliana-prodan Awaiting requested review from iuliana-prodan iuliana-prodan is a code owner

@dbaluta dbaluta Awaiting requested review from dbaluta dbaluta is a code owner

@abonislawski abonislawski Awaiting requested review from abonislawski abonislawski is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kv2019i @lyakh @lgirdwood