Skip to content

audio: base_fw: validate host core_id in KCPS allocation request#10898

Merged
abonislawski merged 1 commit into
thesofproject:mainfrom
abonislawski:fix/basefw-kcps
Jun 17, 2026
Merged

audio: base_fw: validate host core_id in KCPS allocation request#10898
abonislawski merged 1 commit into
thesofproject:mainfrom
abonislawski:fix/basefw-kcps

Conversation

@abonislawski

@abonislawski abonislawski commented Jun 12, 2026

Copy link
Copy Markdown
Member

basefw_kcps_allocation_request() passed request->core_id from the host IPC payload straight into core_kcps_adjust(), which uses it to index kcps_consumption[CONFIG_CORE_COUNT]. An out-of-range core_id turns the add-assign into an arbitrary relative write into DSP .bss.

Reject core_id >= CONFIG_CORE_COUNT at the IPC boundary, mirroring the existing check in schedulers_info_get().

Copilot AI review requested due to automatic review settings June 12, 2026 12:15
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds IPC-boundary validation for core_id in KCPS allocation requests to prevent out-of-bounds indexing into kcps_consumption[CONFIG_CORE_COUNT] and potential arbitrary relative writes into .bss.

Changes:

  • Rejects request->core_id >= CONFIG_CORE_COUNT in basefw_kcps_allocation_request().
  • Logs an error and returns IPC4_ERROR_INVALID_PARAM on invalid core_id.

Comment thread src/audio/base_fw.c
@abonislawski
audio: base_fw: validate host core_id in KCPS allocation request
b46fb06 
basefw_kcps_allocation_request() passed request->core_id from the host
IPC payload straight into core_kcps_adjust(), which uses it to index
kcps_consumption[CONFIG_CORE_COUNT]. An out-of-range core_id turns the
add-assign into an arbitrary relative write into DSP .bss.

Reject core_id >= CONFIG_CORE_COUNT at the IPC boundary, mirroring the
existing check in schedulers_info_get().

Signed-off-by: Adrian Bonislawski <adrian.bonislawski@intel.com>
@abonislawski

abonislawski commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Just rerun, no changes

@abonislawski abonislawski merged commit eb6a85f into thesofproject:main Jun 17, 2026
45 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jsarha jsarha jsarha approved these changes

@lyakh lyakh lyakh approved these changes

@lgirdwood lgirdwood lgirdwood approved these changes

@tmleman tmleman tmleman approved these changes

@plbossart plbossart Awaiting requested review from plbossart plbossart is a code owner

@mmaka1 mmaka1 Awaiting requested review from mmaka1 mmaka1 is a code owner

@lbetlej lbetlej Awaiting requested review from lbetlej lbetlej is a code owner

@dbaluta dbaluta Awaiting requested review from dbaluta dbaluta is a code owner

@kv2019i kv2019i Awaiting requested review from kv2019i kv2019i is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@abonislawski @jsarha @lyakh @lgirdwood @tmleman