diff options
author | Takashi Iwai <tiwai@suse.de> | 2020-01-04 09:35:56 +0100 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2020-01-04 09:37:59 +0100 |
commit | fbd3eb7f66c5b4f37a959bc2deaeb1d7b5ddf0d4 (patch) | |
tree | 6c51987dc73fd820c77c7c1817cf4ab94e616dd4 /include/sound | |
parent | caf3c0437aaf2e63624c4aaf94c0dd38d1f897e3 (diff) |
ALSA: control: Add verification for kctl accesses
The current implementation of ALSA control API fully relies on the
callbacks of each driver, and there is no verification of the values
passed via API. This patch is an attempt to improve the situation
slightly by adding the validation code for the values stored via info
and get callbacks.
The patch adds a new kconfig, CONFIG_SND_CTL_VALIDATION. It depends
on CONFIG_SND_DEBUG and off as default since the validation would
require a slight overhead including the additional call of info
callback at each get callback invocation.
When this config is enabled, the values stored by each info callback
invocation are verified, namely:
- Whether the info type is valid
- Whether the number of enum items is non-zero
- Whether the given info count is within the allowed boundary
Similarly, the values stored at each get callback are verified as
well:
- Whether the values are within the given range
- Whether the values are aligned with the given step
- Whether any further changes are seen in the data array over the
given info count
The last point helps identifying a possibly invalid data type access,
typically a case where the info callback declares the type being
SNDRV_CTL_ELEM_TYPE_ENUMERATED while the get/put callbacks store
the values in value.integer.value[] array.
When a validation fails, the ALSA core logs an error message including
the device and the control ID, and the API call also returns an
error. So, with the new validation turned on, the driver behavior
difference may be visible on user-space, too -- it's intentional,
though, so that we can catch an error more clearly.
The patch also introduces a new ctl access type,
SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK. A driver may pass this flag with
other access bits to indicate that the ctl element won't be verified.
It's useful when a driver code is specially written to access the data
greater than info->count size by some reason. For example, this flag
is actually set now in HD-audio HDMI codec driver which needs to clear
the data array in the case of the disconnected monitor.
Also, the PCM channel-map helper code is slightly modified to avoid
the false-positive hit by this validation code, too.
Link: https://lore.kernel.org/r/20200104083556.27789-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'include/sound')
-rw-r--r-- | include/sound/control.h | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/include/sound/control.h b/include/sound/control.h index 5d7c99475684..11feeee31e35 100644 --- a/include/sound/control.h +++ b/include/sound/control.h @@ -22,6 +22,16 @@ typedef int (snd_kcontrol_tlv_rw_t)(struct snd_kcontrol *kcontrol, unsigned int size, unsigned int __user *tlv); +/* internal flag for skipping validations */ +#ifdef CONFIG_SND_CTL_VALIDATION +#define SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK (1 << 27) +#define snd_ctl_skip_validation(info) \ + ((info)->access & SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK) +#else +#define SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK 0 +#define snd_ctl_skip_validation(info) true +#endif + enum { SNDRV_CTL_TLV_OP_READ = 0, SNDRV_CTL_TLV_OP_WRITE = 1, |