• Takashi Iwai's avatar
    ALSA: control: Add verification for kctl accesses · fbd3eb7f
    Takashi Iwai authored
    The current implementation of ALSA control API fully relies on the
    callbacks of each driver, and there is no verification of the values
    passed via API.  This patch is an attempt to improve the situation
    slightly by adding the validation code for the values stored via info
    and get callbacks.
    
    The patch adds a new kconfig, CONFIG_SND_CTL_VALIDATION.  It depends
    on CONFIG_SND_DEBUG and off as default since the validation would
    require a slight overhead including the additional call of info
    callback at each get callback invocation.
    
    When this config is enabled, the values stored by each info callback
    invocation are verified, namely:
    - Whether the info type is valid
    - Whether the number of enum items is non-zero
    - Whether the given info count is within the allowed boundary
    
    Similarly, the values stored at each get callback are verified as
    well:
    - Whether the values are within the given range
    - Whether the values are aligned with the given step
    - Whether any further changes are seen in the data array over the
      given info count
    
    The last point helps identifying a possibly invalid data type access,
    typically a case where the info callback declares the type being
    SNDRV_CTL_ELEM_TYPE_ENUMERATED while the get/put callbacks store
    the values in value.integer.value[] array.
    
    When a validation fails, the ALSA core logs an error message including
    the device and the control ID, and the API call also returns an
    error.  So, with the new validation turned on, the driver behavior
    difference may be visible on user-space, too -- it's intentional,
    though, so that we can catch an error more clearly.
    
    The patch also introduces a new ctl access type,
    SNDRV_CTL_ELEM_ACCESS_SKIP_CHECK.  A driver may pass this flag with
    other access bits to indicate that the ctl element won't be verified.
    It's useful when a driver code is specially written to access the data
    greater than info->count size by some reason.  For example, this flag
    is actually set now in HD-audio HDMI codec driver which needs to clear
    the data array in the case of the disconnected monitor.
    
    Also, the PCM channel-map helper code is slightly modified to avoid
    the false-positive hit by this validation code, too.
    
    Link: https://lore.kernel.org/r/20200104083556.27789-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    fbd3eb7f
control.c 55 KB