ipc4: basefw_set_fw_config: validate TLV size

tmleman · tmleman · commit 7183cde9402a · 2026-05-13T12:22:50.000+02:00
basefw_set_fw_config() cast the IPC payload directly to struct sof_tlv*
and read tlv-&gt;type without checking that the reported payload length
(data_offset) was sufficient. A zero-length or undersized LargeConfigSet
with param_id=IPC4_FW_CONFIG could cause the handler to access memory
beyond the valid payload (CWE-125 / CWE-20).

Three guards are added before any TLV field access:

1. data_offset &lt; sizeof(struct sof_tlv)
   Rejects payloads too short to hold the type+length header (8 B).

2. data_offset &lt; sizeof(struct sof_tlv) + tlv-&gt;length
   Rejects payloads where the declared value length exceeds the
   actual buffer, preventing OOB reads of tlv-&gt;value[].

3. tlv-&gt;length &lt; sizeof(uint32_t) for IPC4_DMI_FORCE_L1_EXIT
   Rejects a TLV whose value field is too small to contain the
   force flag read by fw_config_set_force_l1_exit().

The TLV pointer cast is moved to after the header-size check so it
is never formed against an undersized buffer.

The warning log for unhandled types is updated to include the type
value to aid diagnostics.

Signed-off-by: Tomasz Leman &lt;tomasz.m.leman@intel.com&gt;
diff --git a/src/audio/base_fw_intel.c b/src/audio/base_fw_intel.c
@@ -470,17 +470,38 @@ __cold static int fw_config_set_force_l1_exit(const struct sof_tlv *tlv)
 __cold static int basefw_set_fw_config(bool first_block, bool last_block,
 				       uint32_t data_offset, const char *data)
 {
+	assert_can_be_cold();
+
+	/* Validate minimum TLV header (type + length fields) is present */
+	if (data_offset < sizeof(struct sof_tlv)) {
+		tr_err(&basefw_comp_tr, "FW_CONFIG payload too small: %u < %zu",
+		       data_offset, sizeof(struct sof_tlv));
+		return IPC4_INVALID_CONFIG_DATA_LEN;
+	}
+
 	const struct sof_tlv *tlv = (const struct sof_tlv *)data;
 
-	assert_can_be_cold();
+	/* Validate the TLV value payload fits within the reported buffer size */
+	if (tlv->length > data_offset - sizeof(struct sof_tlv)) {
+		tr_err(&basefw_comp_tr,
+		       "FW_CONFIG TLV value truncated: len %u exceeds payload %u",
+		       tlv->length, data_offset);
+		return IPC4_INVALID_CONFIG_DATA_LEN;
+	}
 
 	switch (tlv->type) {
 	case IPC4_DMI_FORCE_L1_EXIT:
+		if (tlv->length < sizeof(uint32_t)) {
+			tr_err(&basefw_comp_tr, "DMI_FORCE_L1_EXIT value too small: %u",
+			       tlv->length);
+			return IPC4_INVALID_CONFIG_DATA_LEN;
+		}
 		return fw_config_set_force_l1_exit(tlv);
 	default:
 		break;
 	}
-	tr_warn(&basefw_comp_tr, "returning success for Set FW_CONFIG without handling it");
+
+	tr_warn(&basefw_comp_tr, "Set FW_CONFIG: no handler for type %u", tlv->type);
 	return 0;
 }
 
