audio: kpb: IPC handling hardening#10901
Open
tmleman wants to merge 3 commits into
Open
Conversation
tmleman
requested review from
abonislawski,
kv2019i,
lgirdwood,
lyakh,
serhiy-katsyuba-intel,
softwarecki and
wjablon1
serhiy-katsyuba-intel
approved these changes
Jun 12, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Hardens KPB IPC4 large-config handling to prevent malformed host payloads from causing out-of-bounds reads/writes, and ensures partially applied FMT configuration is rolled back on error.
Changes:
- Validate micselector payload size and channel count before computing masks/offsets.
- Validate KP_BUF_CFG_FM_MODULE payload length against declared module count.
- Add rollback/cleanup in
prepare_fmt_modules_list()and defensively bound-checkoutpin_idx.
tmleman
force-pushed
the
topic/upstream/pr/audio/kpb/fix/add_more_checks
branch
from
7dcbd90 to
d24e307
Compare
kpb_set_micselect() computed mic_cnt = channels - KPB_REFERENCE_SUPPORT_CHANNELS without checking the lower bound. With a host-configured channel count below 2 the unsigned subtraction wraps, producing a huge loop bound and out-of-bounds writes to the fixed offsets[] array. Reject payloads smaller than the config struct and channel counts outside the supported range before computing mic_cnt, and bound the offsets[] index inside the loop. Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
The KP_BUF_CFG_FM_MODULE large-config path cast the host payload to struct kpb_task_params and iterated dev_ids[] for number_of_modules entries without checking it against the declared payload length, so a number_of_modules larger than the payload caused out-of-bounds reads. Verify the payload covers the header and all declared dev_ids[] entries before processing the list. Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
prepare_fmt_modules_list() populates kpb_list_item[], device_list[] and modules_list_item[] entries as it walks the module list. On any mid-loop failure it returned without undoing those entries, while the caller had already cleared the previous list, leaving a half-configured Fast Mode Task list with stale component references. Roll back the touched entries via clear_fmt_modules_list() on the error path, and add a defensive bound check on outpin_idx. Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Those commits harden the KPB IPC4 large-config paths: they validate the host-supplied channel count in kpb_set_micselect() (preventing an unsigned underflow and out-of-bounds writes) and validate the FMT module list against the actual payload length in the KP_BUF_CFG_FM_MODULE path (preventing out-of-bounds reads). The third commit makes prepare_fmt_modules_list() roll back partially populated FMT entries on error and adds a defensive outpin_idx bound check, so a failed configuration no longer leaves stale component references.