Skip to content

base_fw: reject undersized system time payload#10929

Merged
kv2019i merged 1 commit into
thesofproject:mainfrom
lgirdwood:fix-base-fw
Jun 17, 2026
Merged

base_fw: reject undersized system time payload#10929
kv2019i merged 1 commit into
thesofproject:mainfrom
lgirdwood:fix-base-fw

Conversation

@lgirdwood

@lgirdwood lgirdwood commented Jun 16, 2026

Copy link
Copy Markdown
Member

The SYSTEM_TIME large-config handler dereferenced the payload as a fixed
struct without checking the supplied size, reading past the mailbox for a
short payload. Reject a payload smaller than struct ipc4_system_time.

No functional change for valid configurations.

@lrgirdwo
base_fw: reject undersized system time payload
9ba6f92 
The system-time handler dereferenced the payload as a fixed struct
without checking the supplied size, reading past the mailbox for a short
payload. Reject a payload smaller than the struct.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Copilot AI review requested due to automatic review settings June 16, 2026 14:20
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR hardens the SYSTEM_TIME large-config handler against undersized payloads by validating the incoming payload size before dereferencing it as struct ipc4_system_time, preventing out-of-bounds reads.

Changes:

  • Add a minimum-size check for struct ipc4_system_time before reading mailbox payload data.
  • Return an error for undersized SYSTEM_TIME payloads to avoid invalid memory access.

Comment thread src/audio/base_fw.c
Comment on lines +280 to +281
if (data_offset < sizeof(struct ipc4_system_time))
return IPC4_ERROR_INVALID_PARAM;

@lgirdwood lgirdwood Jun 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

data_offset here is the payload size, not an offset — lyakh confirmed the same in the review. The large-config set path passes the fragment/payload length in this argument (the parameter name is misleading and worth renaming separately), so checking it against sizeof(struct ipc4_system_time) is correct.

lyakh
lyakh approved these changes Jun 17, 2026
View reviewed changes

@lyakh lyakh left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think data_offset does actually mean "size," so this is correct... We should really rename that parameter at least in functions, where it definitely means size

@kv2019i kv2019i merged commit 689eb09 into thesofproject:main Jun 17, 2026
45 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lyakh lyakh lyakh approved these changes

@kv2019i kv2019i kv2019i approved these changes

@plbossart plbossart Awaiting requested review from plbossart plbossart is a code owner

@mmaka1 mmaka1 Awaiting requested review from mmaka1 mmaka1 is a code owner

@lbetlej lbetlej Awaiting requested review from lbetlej lbetlej is a code owner

@dbaluta dbaluta Awaiting requested review from dbaluta dbaluta is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lgirdwood @lyakh @kv2019i @lrgirdwo