audio: eq_iir: Improve robustness for invalid configuration#10892
Open
singalsu wants to merge 1 commit into
Open
audio: eq_iir: Improve robustness for invalid configuration#10892singalsu wants to merge 1 commit into
singalsu wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves robustness of the EQ IIR module by validating configuration blob sizes and tightening bounds checks while parsing IIR coefficient data, aiming to prevent out-of-bounds reads and malformed configuration setup.
Changes:
- Track and validate the configuration blob length (
config_size) when fetching model data, both inprepareand on-the-fly update paths. - Harden coefficient parsing by deriving coefficient-area limits from the blob’s declared size and bounds-checking each response header/biquad block.
- Add range checks for
num_sections_in_seriesand reject blobs whose self-declared size doesn’t match the received blob length.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/math/iir_df2t.c | Adds validation for num_sections_in_series in DF2T delay sizing. |
| src/math/iir_df1.c | Adds validation for num_sections_in_series in DF1 delay sizing and corrects the delay comment. |
| src/audio/eq_iir/eq_iir.h | Adds config_size to store the blob length returned by comp_get_data_blob(). |
| src/audio/eq_iir/eq_iir.c | Validates blob size on prepare and runtime update before applying new configuration. |
| src/audio/eq_iir/eq_iir_generic.c | Adds coefficient-area bounds checks and enforces config->size == blob length in eq_iir_setup(). |
lyakh
approved these changes
Jun 12, 2026
| comp_err(mod->dev, "invalid configuration blob, size %zu", | ||
| cd->config_size); | ||
| return -EINVAL; | ||
| } |
Collaborator
There was a problem hiding this comment.
at least from the commit description it looks like this should be 4 commits
Collaborator
Author
There was a problem hiding this comment.
Too detailed description ... it's all about blob size check and not reading past it.
Harden the EQ IIR setup path against malformed IPC configuration blobs. The blob length returned by comp_get_data_blob() is now stored and checked against the expected range every time a new blob is taken, and the blob's self-declared size is cross-checked against it before use. The per-response walk that previously trusted num_sections from the blob now bounds the header and biquad data against the blob, so a bad length can no longer push the lookup pointer past the allocation. The df1 and df2t delay-size helpers also gained a range check on num_sections_in_series, which strides the delay line and was previously unchecked. Signed-off-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
Comment on lines
+132
to
+134
| cd->config = comp_get_data_blob(cd->model_handler, &cd->config_size, NULL); | ||
| if (!cd->config || eq_iir_check_blob_size(mod->dev, cd->config_size) < 0) | ||
| return -EINVAL; |
| sink_format = audio_stream_get_frm_fmt(&sinkb->stream); | ||
|
|
||
| cd->config = comp_get_data_blob(cd->model_handler, &data_size, NULL); | ||
| cd->config = comp_get_data_blob(cd->model_handler, &cd->config_size, NULL); |
Comment on lines
+206
to
+208
| if (cd->config && cd->config_size > 0) { | ||
| if (eq_iir_check_blob_size(dev, cd->config_size) < 0) | ||
| return -EINVAL; |
Comment on lines
+379
to
+382
| if (cd->config->size != cd->config_size) { | ||
| comp_err(mod->dev, "Incorrect configuration blob size"); | ||
| return -EINVAL; | ||
| } |
Comment on lines
+196
to
+200
| if (config->size < sizeof(*config)) { | ||
| comp_err(dev, "config size %u too small", config->size); | ||
| return -EINVAL; | ||
| } | ||
| payload_bytes = config->size - sizeof(*config); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Validate the EQ IIR configuration blob and IIR header fields to prevent out-of-bounds reads and malformed-state setup.