audio: module_adapter: fix sizeof(pointer) and underflow in module_ext_init_decode

tmleman · tmleman · commit dcde013d918b · 2026-05-07T11:58:28.000+02:00
Three weaknesses compose into a single chain in module_ext_init_decode()
that allows a crafted IPC4 ModuleInit payload to corrupt spec-&gt;size and
spec-&gt;data before they are consumed by module_adapter_init_data().

The size guard used the wrong sizeof operand:

  if (spec-&gt;size &lt; sizeof(ext_init))   /* sizeof(pointer) = 4, not 12 */

This accepted any payload &gt;= 4 bytes even though the struct header is 12
bytes.  Additionally, ext_init-&gt;data_obj_array was dereferenced before
the guard ran, allowing the object-walk loop to be skipped with no size
validation.  When the loop is skipped, the unconditional spec-&gt;size
adjustment:

  spec-&gt;size -= (unsigned char *)obj - spec-&gt;data;   /* obj = data + 12 */

produces an unsigned underflow for spec-&gt;size in [4, 11], yielding
values around 0xFFFFFFFC.  The corrupted spec is then passed to
module_adapter_init_data() where the inflated size bypasses the base_cfg
guard and dst-&gt;base_cfg is populated from mailbox bytes beyond the
declared payload boundary.

Found by semgrep static analysis, confirmed by manual review of the
caller chain through module_adapter_init_data(), and verified with
prepared tests.

Fixes:

1. Move size guard before ext_init dereference so spec-&gt;size is
   validated against sizeof(*ext_init) before any field is read.

2. Correct sizeof operand from sizeof(ext_init) to sizeof(*ext_init)
   (4 bytes → 12 bytes).

3. Guard the unconditional spec adjustment — compute consumed bytes and
   return -EINVAL if consumed &gt; spec-&gt;size before subtracting.

4. Add upper-bound check in module_adapter_init_data() — reject cfgsz
   greater than MAILBOX_HOSTBOX_SIZE as a defense-in-depth measure.

Signed-off-by: Tomasz Leman &lt;tomasz.m.leman@intel.com&gt;
diff --git a/src/audio/module_adapter/module_adapter_ipc4.c b/src/audio/module_adapter/module_adapter_ipc4.c
@@ -16,6 +16,7 @@
 #include <sof/audio/module_adapter/module/generic.h>
 #include <sof/audio/pipeline.h>
 #include <sof/common.h>
+#include <sof/lib/mailbox.h>
 #include <sof/platform.h>
 #include <sof/ut.h>
 #include <rtos/interrupt.h>
@@ -28,17 +29,22 @@ LOG_MODULE_DECLARE(module_adapter, CONFIG_SOF_LOG_LEVEL);
 int module_ext_init_decode(const struct comp_driver *drv, struct module_ext_init_data *ext_data,
 			   struct ipc_config_process *spec)
 {
-	const struct ipc4_module_init_ext_init *ext_init =
-		(const struct ipc4_module_init_ext_init *)spec->data;
-	bool last_object = !ext_init->data_obj_array;
+	const struct ipc4_module_init_ext_init *ext_init;
 	const struct ipc4_module_init_ext_object *obj;
+	bool last_object;
+	size_t consumed;
 
 	assert(drv->type == SOF_COMP_MODULE_ADAPTER);
-	if (spec->size < sizeof(ext_init)) {
+
+	/* Validate size before dereferencing ext_init pointer */
+	if (spec->size < sizeof(*ext_init)) {
 		comp_cl_err(drv, "Size too small for ext init %zu < %zu",
-			    spec->size, sizeof(ext_init));
+			    spec->size, sizeof(*ext_init));
 		return -EINVAL;
 	}
+
+	ext_init = (const struct ipc4_module_init_ext_init *)spec->data;
+	last_object = !ext_init->data_obj_array;
 	/* TODO: Handle ext_init->gna_used and ext_init->rtos_domain here */
 	/* Get the first obj struct right after ext_init struct */
 	obj = (const struct ipc4_module_init_ext_object *)(ext_init + 1);
@@ -103,7 +109,15 @@ int module_ext_init_decode(const struct comp_driver *drv, struct module_ext_init
 	}
 
 	/* Remove decoded ext_init payload from spec */
-	spec->size -= (unsigned char *)obj - spec->data;
+	consumed = (unsigned char *)obj - spec->data;
+
+	if (consumed > spec->size) {
+		comp_cl_err(drv, "ext_init consumed more than spec->size (%zu > %zu)",
+			    consumed, spec->size);
+		return -EINVAL;
+	}
+
+	spec->size -= consumed;
 	spec->data = (const unsigned char *)obj;
 
 	return 0;
@@ -132,8 +146,10 @@ int module_adapter_init_data(struct comp_dev *dev,
 
 	if (cfg == NULL)
 		return -EINVAL;
-	if (cfgsz < sizeof(cfg->base_cfg))
+	if (cfgsz > MAILBOX_HOSTBOX_SIZE || cfgsz < sizeof(cfg->base_cfg)) {
+		comp_err(dev, "invalid config size %zu", cfgsz);
 		return -EINVAL;
+	}
 
 	dst->base_cfg = cfg->base_cfg;
 	dst->size = cfgsz;
