ipc: move all init parsing to components/modules #9535
Conversation
|
Pushed this again for exploring solutions. @lyakh I don't think we will be able to do type checks. There are so many types that are hardcoded in ipc3 for legacy reasons that now no longer match because of the module adapter that I don't see how it is feasible to force the check. And in all honesty, I am now sure this is the correct fix looking closer. E.g. ASRC which is currently a So my current theories on how to fix this are pretty aggressive as they either require exposing a new callback / driver info to properly parse the IPC info or just uprev the major version and drop the enum field and comp_specific enum data entirely or pushing the init data parsing down to the component where it belongs. Regardless of the solution this is unfortunately a security bug that does need to be resolved sooner rather than later. |
cujomalainey
added
bug
|
I'm exploring the possibilities of just packaging the data into a struct with just a size header and then forcing all downstream components to do the type checking. This would remove the dependency on the enum while also forcing the component specific code back down to the components. |
So we have really cornered ourselves here with IPC3 adapting to IPC4 types in a generic format. Couple of issues I see here.
With these changes we should be protected against enum UUID mismatch as we only check 1 of those 2 items once to get the comp_driver then let the driver handle everything else from there. This also requires no ABI or kernel changes. The one downside i see is that modules will have IPC specific shims but i think that is a small price to pay to thin this hole out of our communication layer. |
|
@cujomalainey ack - lets get rid of the enum, we should be able to do basic checking in the IPC layer and then force down module/driver specif data to the module/driver for checking. We can extend the APIs as needed, even if we have some __unused params on some IPC flavours |
I think the enum is fine as long as we use the identified I think with my fix I don't think we need to modify the APIs at all, just a compile time shim. I hope to push an example today for comments. |
|
@lgirdwood this is a non functional example of what I think needs to happen. PTAL. Tone is the non module adapter example, ASRC is the module adapter example |
cujomalainey
changed the title
| /* Copy initial config */ | ||
| if (size) { | ||
| ret = module_load_config(dev, data, size); | ||
| if (config->ipc_config_size) { |
There was a problem hiding this comment.
this will need to be refined to check if there was data appended to the IPC, not if the IPC had size total
cujomalainey
force-pushed
the
ipc-type
branch
3 times, most recently
from
43352f0
to
b016c9b
Compare
cujomalainey
added
P2
Add helper to switch out init calls to shim in conversion functions if needed. Signed-off-by: Curtis Malainey <[email protected]>
gotta test all the standard flows Signed-off-by: Curtis Malainey <[email protected]>
Never gonna give you up Never gonna let you down Never gonna run around and modify you Signed-off-by: Curtis Malainey <[email protected]>
ONLY COMPILE/FUZZ TESTED Given we cannot trust our enum field in the IPC as communicator may lie about the component on the other side and the module adapter is obscuring the nature of many of the components we need to move the type casting into the components directly. Here is a breakdown of the general steps to achieve this. 1. report ipc config size for all versions 2. remove type casting in the IPC3 layer 3. on non module adapter components cast the config in a compile time selected shim 4. in the module adapter ipc3 layer, remove type casting again 5. in module adapter components realloc init data and cast over in a compile time enabled shim Signed-off-by: Curtis Malainey <[email protected]>
cujomalainey
force-pushed
the
ipc-type
branch
from
b016c9b
to
2566518
Compare
Tone generator is an early SOF component that has not been maintained to keep it usable. Should I just make a PR to remove it? |
| if (IPC_TAIL_IS_SIZE_INVALID(*asrc)) | ||
| return -EBADMSG; | ||
|
|
||
| ipc_asrc = rballoc(0, SOF_MEM_CAPS_RAM, sizeof(*ipc_asrc)); |
There was a problem hiding this comment.
is the configuration so large or why rballoc()?
There was a problem hiding this comment.
Rballoc is what is used module_load_config to alloc the same region. Used it to reduce the number of changes.
| ipc_volume->ramp = volume->ramp; | ||
|
|
||
| mod_data->cfg.init_data = ipc_volume; | ||
| mod_data->cfg.data = ipc_volume; |
There was a problem hiding this comment.
IIUC you use cfg.data for freeing, isn't rfree() missing here - similar to asrc? Please also check others
There was a problem hiding this comment.
No this is correct. Data is set to the raw IPC so it should not be freed.
A bad IPC can mismatch UUID and type, causing downstream processes to operate differently than the matched component target.
This is because get_drv will not reject the mismatch. This enforces the topology matches the UUID and type.This change moves all type casting down to the final module so it cannot confuse intermediate processes.Exempted modules/components from shims
specin IPC3spec