Skip to content

module_adapter: validate config sizes and isolate per-instance state#10920

Open
lgirdwood wants to merge 3 commits into
thesofproject:mainfrom
lgirdwood:fix-module-adapter
Open

module_adapter: validate config sizes and isolate per-instance state#10920
lgirdwood wants to merge 3 commits into
thesofproject:mainfrom
lgirdwood:fix-module-adapter

Conversation

@lgirdwood

@lgirdwood lgirdwood commented Jun 15, 2026

Copy link
Copy Markdown
Member

Hardening of the module_adapter and a couple of codec wrappers:

  • cadence: validate the init payload is large enough before reading the
    direction field past the codec params
  • waves: check a full TLV header remains in the config blob before reading it
  • module_adapter (IPC3): move the fragmented-transfer reassembly size out of a
    file-scope static into per-instance state, so interleaved transfers to
    different components can't corrupt each other

No functional change for valid configurations.

lrgirdwo added 3 commits June 11, 2026 14:40
@lrgirdwo
cadence: validate init payload covers the direction field
7eb2414 
The init path read the direction word at a fixed offset past the codec
params without checking the payload was large enough, reading past the
mailbox. Require the payload to cover the field.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
@lrgirdwo
waves: check remaining size before reading a tlv header
6890f78 
The config parse loop read a parameter header before confirming a whole
header remained in the blob, reading past it near the end. Bound the
read by the remaining size.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
@lrgirdwo
module_adapter: make fragmented-transfer size per-instance
0c0e552 
The reassembly size for fragmented runtime-params transfers was a
file-scope static shared by every component, so interleaved transfers to
different components corrupted each other's state. Move it into
per-instance module state.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Copilot AI review requested due to automatic review settings June 15, 2026 14:56
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Hardens module_adapter and codec wrappers by validating configuration buffer sizes before dereferencing and by isolating fragmented transfer reassembly state per component instance to avoid cross-component corruption.

Changes:

  • Added per-instance runtime_params_size to processing_module to track fragmented runtime-params transfer size.
  • Added bounds checks in Waves TLV parsing and Cadence init parsing to prevent out-of-bounds reads.
  • Updated IPC3 module_adapter get/set params path to use per-instance reassembly size instead of a static.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
src/include/module/module/base.h Adds per-instance field for fragmented transfer reassembly sizing.
src/audio/module_adapter/module_adapter_ipc3.c Switches from static reassembly size to per-instance state.
src/audio/module_adapter/module/waves/waves.c Adds header-size bounds check before reading TLV header fields.
src/audio/module_adapter/module/cadence_ipc4.c Validates init payload is large enough before reading direction word.

Comment thread src/audio/module_adapter/module/cadence_ipc4.c
Comment on lines 276 to 277
init_bytes = (uint8_t *)ext_data->module_data;
cd->direction = *(uint32_t *)(init_bytes + sizeof(struct snd_codec));
Comment thread src/audio/module_adapter/module/waves/waves.c
Comment on lines +618 to +622
if (index + header_size > cfg->size) {
comp_err(dev, "module_param header exceeds cfg buffer size: %d",
cfg->size);
return -EINVAL;
}
Comment thread src/audio/module_adapter/module_adapter_ipc3.c
* across all module_adapter components and corrupted by interleaved
* fragmented transfers
*/
uint32_t *size = &mod->runtime_params_size;
Comment thread src/include/module/module/base.h
Comment on lines +121 to +125
/* total size of a fragmented runtime-params (get/set) transfer, kept
* per instance so concurrent transfers to different components do not
* corrupt each other's reassembly state
*/
uint32_t runtime_params_size;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ranj063 ranj063 Awaiting requested review from ranj063 ranj063 is a code owner

@plbossart plbossart Awaiting requested review from plbossart plbossart is a code owner

@mmaka1 mmaka1 Awaiting requested review from mmaka1 mmaka1 is a code owner

@lbetlej lbetlej Awaiting requested review from lbetlej lbetlej is a code owner

@dbaluta dbaluta Awaiting requested review from dbaluta dbaluta is a code owner

@kv2019i kv2019i Awaiting requested review from kv2019i kv2019i is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lgirdwood @lrgirdwo