From cd7f82ce8db4d629fc264025ec2062f9e0c372cf Mon Sep 17 00:00:00 2001
From: Marc Herbert <marc.herbert@intel.com>
Date: Fri, 9 Feb 2024 00:32:38 +0000
Subject: [PATCH] ipc-helper.c: reject invalid SOF_MEM_CAPS_* bits

Fixes lack of SOF_MEM_CAPS_* input validation found in #8832

Signed-off-by: Marc Herbert <marc.herbert@intel.com>
---
 src/include/ipc/topology.h |  6 ++++++
 src/ipc/ipc-helper.c       | 19 +++++++++++++++++--
 src/ipc/ipc3/handler.c     |  1 +
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/include/ipc/topology.h b/src/include/ipc/topology.h
index a12f8610f734..e1eac2581a28 100644
--- a/src/include/ipc/topology.h
+++ b/src/include/ipc/topology.h
@@ -87,6 +87,12 @@ struct sof_ipc_comp {
 #define SOF_MEM_CAPS_EXEC		BIT(7) /**< executable */
 #define SOF_MEM_CAPS_L3			BIT(8) /**< L3 memory */
 
+#ifdef CONFIG_L3_HEAD
+#define SOF_MEM_CAPS_MAX_BIT		BIT(8) /**< Used for input validation */
+#else
+#define SOF_MEM_CAPS_MAX_BIT		BIT(9) /**< Used for input validation */
+#endif
+
 /*
  * overrun will cause ring buffer overwrite, instead of XRUN.
  */
diff --git a/src/ipc/ipc-helper.c b/src/ipc/ipc-helper.c
index 9d09707a522f..29ee57829564 100644
--- a/src/ipc/ipc-helper.c
+++ b/src/ipc/ipc-helper.c
@@ -36,13 +36,28 @@
 
 LOG_MODULE_DECLARE(ipc, CONFIG_SOF_LOG_LEVEL);
 
+static bool valid_ipc_buffer_desc(const struct sof_ipc_buffer *desc)
+{
+	if (desc->flags >= SOF_MEM_CAPS_MAX_BIT)
+		return false;
+
+	/* FIXME: check desc->size and maybe other things */
+	return true;
+}
+
 /* create a new component in the pipeline */
 struct comp_buffer *buffer_new(const struct sof_ipc_buffer *desc, bool is_shared)
 {
 	struct comp_buffer *buffer;
 
-	tr_info(&buffer_tr, "buffer new size 0x%x id %d.%d flags 0x%x",
-		desc->size, desc->comp.pipeline_id, desc->comp.id, desc->flags);
+	if (valid_ipc_buffer_desc(desc)) {
+		tr_info(&buffer_tr, "buffer new size 0x%x id %d.%d flags 0x%x",
+			desc->size, desc->comp.pipeline_id, desc->comp.id, desc->flags);
+	} else {
+		tr_err(&buffer_tr, "Invalid buffer desc! New size 0x%x id %d.%d flags 0x%x",
+		       desc->size, desc->comp.pipeline_id, desc->comp.id, desc->flags);
+		return NULL;
+	}
 
 	/* allocate buffer */
 	buffer = buffer_alloc(desc->size, desc->caps, desc->flags, PLATFORM_DCACHE_ALIGN,
diff --git a/src/ipc/ipc3/handler.c b/src/ipc/ipc3/handler.c
index 87fe5b93265e..5bcb4df40fe8 100644
--- a/src/ipc/ipc3/handler.c
+++ b/src/ipc/ipc3/handler.c
@@ -76,6 +76,7 @@ LOG_MODULE_DECLARE(ipc, CONFIG_SOF_LOG_LEVEL);
 #define iGS(x) ((x) & SOF_GLB_TYPE_MASK)
 #define iCS(x) ((x) & SOF_CMD_TYPE_MASK)
 
+/* FIXME: assert() should be turned off in production builds */
 #define _IPC_COPY_CMD(rx, tx, rx_size)					\
 	do {								\
 		int ___ret;						\