From 71afb2fc0aa383468d9a5a7084a9377ef279618a Mon Sep 17 00:00:00 2001 From: Jyri Sarha Date: Wed, 16 Oct 2024 19:09:47 +0300 Subject: [PATCH] ipc3: handler: Add check for pipeline->source_comp being NULL The fuzzer engine has produced crash caused by NULL pointer read that originated from ipc_stream_pcm_free(). The crash happens when the pipeline of the found comp_dev does not have a source_comp and pipeline_reset() is called for it. This commit simply adds a test for such a situation and bails out if it is found. Here is the call stack from the situation: #0 0x81e9317 in dev_comp_pipe_id sof/sof/src/include/sof/audio/component.h:646:25 #1 0x81e8015 in pipeline_comp_reset sof/sof/src/audio/pipeline/pipeline-graph.c:326:22 #2 0x81e7d1d in pipeline_reset sof/sof/src/audio/pipeline/pipeline-graph.c:393:8 #3 0x820d7ea in ipc_stream_pcm_free sof/sof/src/ipc/ipc3/handler.c:398:8 #4 0x8208969 in ipc_cmd sof/sof/src/ipc/ipc3/handler.c:1689:9 #5 0x81cbed8 in ipc_platform_do_cmd sof/sof/src/platform/posix/ipc.c:162:2 #6 0x81d10db in ipc_do_cmd sof/sof/src/ipc/ipc-common.c:330:9 #7 0x81f87e9 in task_run sof/sof/zephyr/include/rtos/task.h:94:9 #8 0x81f8308 in edf_work_handler sof/sof/zephyr/edf_schedule.c:31:16 #9 0x82b4b32 in work_queue_main sof/zephyr/kernel/work.c:668:3 #10 0x8193ec2 in z_thread_entry sof/zephyr/lib/os/thread_entry.c:36:2 #11 0x815f639 in __asan::AsanThread::ThreadStart(unsigned long long) /src/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277:25 Signed-off-by: Jyri Sarha --- src/ipc/ipc3/handler.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/ipc/ipc3/handler.c b/src/ipc/ipc3/handler.c index 4349c9606253..035f228b28e2 100644 --- a/src/ipc/ipc3/handler.c +++ b/src/ipc/ipc3/handler.c @@ -386,6 +386,13 @@ static int ipc_stream_pcm_free(uint32_t header) return -EINVAL; } + /* pipeline_reset() crashes if source_comp is NULL */ + if (!pcm_dev->cd->pipeline->source_comp) { + ipc_cmd_err(&ipc_tr, "ipc: comp %d source comp not found", + free_req.comp_id); + return -EINVAL; + } + /* reset the pipeline */ ret = pipeline_reset(pcm_dev->cd->pipeline, pcm_dev->cd);