ASoC: SOF: Add IPC3 Kernel Injector
Add debugfs path to fake a malicious firmware message for fuzzing purposes. Skip IPC4 for initial integration Signed-off-by: Curtis Malainey <cujomalainey@chromium.org> Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com> Link: https://lore.kernel.org/r/20230608221822.2825786-2-cujomalainey@chromium.org Signed-off-by: Mark Brown <broonie@kernel.org>
This commit is contained in:
Родитель
12c41c779f
Коммит
70dad53ddf
|
@ -236,6 +236,17 @@ config SND_SOC_SOF_DEBUG_IPC_MSG_INJECTOR
|
|||
Say Y if you want to enable the IPC message injector.
|
||||
If unsure, select "N".
|
||||
|
||||
config SND_SOC_SOF_DEBUG_IPC_KERNEL_INJECTOR
|
||||
tristate "SOF enable IPC kernel injector"
|
||||
depends on SND_SOC_SOF
|
||||
select SND_SOC_SOF_CLIENT
|
||||
help
|
||||
This option enables the IPC kernel injector which can be used to send
|
||||
crafted IPC messages to the kernel to test its robustness against
|
||||
DSP messages.
|
||||
Say Y if you want to enable the IPC kernel injector.
|
||||
If unsure, select "N".
|
||||
|
||||
config SND_SOC_SOF_DEBUG_RETAIN_DSP_CONTEXT
|
||||
bool "SOF retain DSP context on any FW exceptions"
|
||||
help
|
||||
|
|
|
@ -26,6 +26,7 @@ snd-sof-of-objs := sof-of-dev.o
|
|||
|
||||
snd-sof-ipc-flood-test-objs := sof-client-ipc-flood-test.o
|
||||
snd-sof-ipc-msg-injector-objs := sof-client-ipc-msg-injector.o
|
||||
snd-sof-ipc-kernel-injector-objs := sof-client-ipc-kernel-injector.o
|
||||
snd-sof-probes-objs := sof-client-probes.o
|
||||
ifneq ($(CONFIG_SND_SOC_SOF_IPC3),)
|
||||
snd-sof-probes-objs += sof-client-probes-ipc3.o
|
||||
|
@ -49,6 +50,7 @@ obj-$(CONFIG_SND_SOC_SOF_PCI_DEV) += snd-sof-pci.o
|
|||
|
||||
obj-$(CONFIG_SND_SOC_SOF_DEBUG_IPC_FLOOD_TEST) += snd-sof-ipc-flood-test.o
|
||||
obj-$(CONFIG_SND_SOC_SOF_DEBUG_IPC_MSG_INJECTOR) += snd-sof-ipc-msg-injector.o
|
||||
obj-$(CONFIG_SND_SOC_SOF_DEBUG_IPC_KERNEL_INJECTOR) += snd-sof-ipc-kernel-injector.o
|
||||
obj-$(CONFIG_SND_SOC_SOF_DEBUG_PROBES) += snd-sof-probes.o
|
||||
|
||||
obj-$(CONFIG_SND_SOC_SOF_INTEL_TOPLEVEL) += intel/
|
||||
|
|
|
@ -0,0 +1,162 @@
|
|||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
//
|
||||
// Copyright(c) 2023 Google Inc. All rights reserved.
|
||||
//
|
||||
// Author: Curtis Malainey <cujomalainey@chromium.org>
|
||||
//
|
||||
|
||||
#include <linux/auxiliary_bus.h>
|
||||
#include <linux/debugfs.h>
|
||||
#include <linux/mod_devicetable.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/pm_runtime.h>
|
||||
#include <sound/sof/header.h>
|
||||
|
||||
#include "sof-client.h"
|
||||
|
||||
#define SOF_IPC_CLIENT_SUSPEND_DELAY_MS 3000
|
||||
|
||||
struct sof_msg_inject_priv {
|
||||
struct dentry *kernel_dfs_file;
|
||||
size_t max_msg_size;
|
||||
|
||||
void *kernel_buffer;
|
||||
};
|
||||
|
||||
static int sof_msg_inject_dfs_open(struct inode *inode, struct file *file)
|
||||
{
|
||||
int ret = debugfs_file_get(file->f_path.dentry);
|
||||
|
||||
if (unlikely(ret))
|
||||
return ret;
|
||||
|
||||
ret = simple_open(inode, file);
|
||||
if (ret)
|
||||
debugfs_file_put(file->f_path.dentry);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static ssize_t sof_kernel_msg_inject_dfs_write(struct file *file, const char __user *buffer,
|
||||
size_t count, loff_t *ppos)
|
||||
{
|
||||
struct sof_client_dev *cdev = file->private_data;
|
||||
struct sof_msg_inject_priv *priv = cdev->data;
|
||||
struct sof_ipc_cmd_hdr *hdr = priv->kernel_buffer;
|
||||
struct device *dev = &cdev->auxdev.dev;
|
||||
ssize_t size;
|
||||
int ret;
|
||||
|
||||
if (*ppos)
|
||||
return 0;
|
||||
|
||||
size = simple_write_to_buffer(priv->kernel_buffer, priv->max_msg_size,
|
||||
ppos, buffer, count);
|
||||
if (size < 0)
|
||||
return size;
|
||||
if (size != count)
|
||||
return -EFAULT;
|
||||
|
||||
ret = pm_runtime_resume_and_get(dev);
|
||||
if (ret < 0 && ret != -EACCES) {
|
||||
dev_err_ratelimited(dev, "debugfs write failed to resume %d\n", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
sof_client_ipc_rx_message(cdev, hdr, priv->kernel_buffer);
|
||||
|
||||
pm_runtime_mark_last_busy(dev);
|
||||
ret = pm_runtime_put_autosuspend(dev);
|
||||
if (ret < 0)
|
||||
dev_err_ratelimited(dev, "debugfs write failed to idle %d\n", ret);
|
||||
|
||||
return count;
|
||||
};
|
||||
|
||||
static int sof_msg_inject_dfs_release(struct inode *inode, struct file *file)
|
||||
{
|
||||
debugfs_file_put(file->f_path.dentry);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static const struct file_operations sof_kernel_msg_inject_fops = {
|
||||
.open = sof_msg_inject_dfs_open,
|
||||
.write = sof_kernel_msg_inject_dfs_write,
|
||||
.release = sof_msg_inject_dfs_release,
|
||||
|
||||
.owner = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int sof_msg_inject_probe(struct auxiliary_device *auxdev,
|
||||
const struct auxiliary_device_id *id)
|
||||
{
|
||||
struct sof_client_dev *cdev = auxiliary_dev_to_sof_client_dev(auxdev);
|
||||
struct dentry *debugfs_root = sof_client_get_debugfs_root(cdev);
|
||||
struct device *dev = &auxdev->dev;
|
||||
struct sof_msg_inject_priv *priv;
|
||||
size_t alloc_size;
|
||||
|
||||
/* allocate memory for client data */
|
||||
priv = devm_kzalloc(&auxdev->dev, sizeof(*priv), GFP_KERNEL);
|
||||
if (!priv)
|
||||
return -ENOMEM;
|
||||
|
||||
priv->max_msg_size = sof_client_get_ipc_max_payload_size(cdev);
|
||||
alloc_size = priv->max_msg_size;
|
||||
priv->kernel_buffer = devm_kmalloc(dev, alloc_size, GFP_KERNEL);
|
||||
|
||||
if (!priv->kernel_buffer)
|
||||
return -ENOMEM;
|
||||
|
||||
cdev->data = priv;
|
||||
|
||||
priv->kernel_dfs_file = debugfs_create_file("kernel_ipc_msg_inject", 0644,
|
||||
debugfs_root, cdev,
|
||||
&sof_kernel_msg_inject_fops);
|
||||
|
||||
/* enable runtime PM */
|
||||
pm_runtime_set_autosuspend_delay(dev, SOF_IPC_CLIENT_SUSPEND_DELAY_MS);
|
||||
pm_runtime_use_autosuspend(dev);
|
||||
pm_runtime_set_active(dev);
|
||||
pm_runtime_enable(dev);
|
||||
pm_runtime_mark_last_busy(dev);
|
||||
pm_runtime_idle(dev);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void sof_msg_inject_remove(struct auxiliary_device *auxdev)
|
||||
{
|
||||
struct sof_client_dev *cdev = auxiliary_dev_to_sof_client_dev(auxdev);
|
||||
struct sof_msg_inject_priv *priv = cdev->data;
|
||||
|
||||
pm_runtime_disable(&auxdev->dev);
|
||||
|
||||
debugfs_remove(priv->kernel_dfs_file);
|
||||
}
|
||||
|
||||
static const struct auxiliary_device_id sof_msg_inject_client_id_table[] = {
|
||||
{ .name = "snd_sof.kernel_injector" },
|
||||
{},
|
||||
};
|
||||
MODULE_DEVICE_TABLE(auxiliary, sof_msg_inject_client_id_table);
|
||||
|
||||
/*
|
||||
* No need for driver pm_ops as the generic pm callbacks in the auxiliary bus
|
||||
* type are enough to ensure that the parent SOF device resumes to bring the DSP
|
||||
* back to D0.
|
||||
* Driver name will be set based on KBUILD_MODNAME.
|
||||
*/
|
||||
static struct auxiliary_driver sof_msg_inject_client_drv = {
|
||||
.probe = sof_msg_inject_probe,
|
||||
.remove = sof_msg_inject_remove,
|
||||
|
||||
.id_table = sof_msg_inject_client_id_table,
|
||||
};
|
||||
|
||||
module_auxiliary_driver(sof_msg_inject_client_drv);
|
||||
|
||||
MODULE_DESCRIPTION("SOF IPC Kernel Injector Client Driver");
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_IMPORT_NS(SND_SOC_SOF_CLIENT);
|
|
@ -16,6 +16,7 @@
|
|||
#include "ops.h"
|
||||
#include "sof-client.h"
|
||||
#include "sof-priv.h"
|
||||
#include "ipc3-priv.h"
|
||||
#include "ipc4-priv.h"
|
||||
|
||||
/**
|
||||
|
@ -126,6 +127,29 @@ static inline int sof_register_ipc_msg_injector(struct snd_sof_dev *sdev)
|
|||
static inline void sof_unregister_ipc_msg_injector(struct snd_sof_dev *sdev) {}
|
||||
#endif /* CONFIG_SND_SOC_SOF_DEBUG_IPC_MSG_INJECTOR */
|
||||
|
||||
#if IS_ENABLED(CONFIG_SND_SOC_SOF_DEBUG_IPC_KERNEL_INJECTOR)
|
||||
static int sof_register_ipc_kernel_injector(struct snd_sof_dev *sdev)
|
||||
{
|
||||
/* Only IPC3 supported right now */
|
||||
if (sdev->pdata->ipc_type != SOF_IPC)
|
||||
return 0;
|
||||
|
||||
return sof_client_dev_register(sdev, "kernel_injector", 0, NULL, 0);
|
||||
}
|
||||
|
||||
static void sof_unregister_ipc_kernel_injector(struct snd_sof_dev *sdev)
|
||||
{
|
||||
sof_client_dev_unregister(sdev, "kernel_injector", 0);
|
||||
}
|
||||
#else
|
||||
static inline int sof_register_ipc_kernel_injector(struct snd_sof_dev *sdev)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline void sof_unregister_ipc_kernel_injector(struct snd_sof_dev *sdev) {}
|
||||
#endif /* CONFIG_SND_SOC_SOF_DEBUG_IPC_KERNEL_INJECTOR */
|
||||
|
||||
int sof_register_clients(struct snd_sof_dev *sdev)
|
||||
{
|
||||
int ret;
|
||||
|
@ -146,6 +170,12 @@ int sof_register_clients(struct snd_sof_dev *sdev)
|
|||
goto err_msg_injector;
|
||||
}
|
||||
|
||||
ret = sof_register_ipc_kernel_injector(sdev);
|
||||
if (ret) {
|
||||
dev_err(sdev->dev, "IPC kernel injector client registration failed\n");
|
||||
goto err_kernel_injector;
|
||||
}
|
||||
|
||||
/* Platform depndent client device registration */
|
||||
|
||||
if (sof_ops(sdev) && sof_ops(sdev)->register_ipc_clients)
|
||||
|
@ -154,6 +184,9 @@ int sof_register_clients(struct snd_sof_dev *sdev)
|
|||
if (!ret)
|
||||
return 0;
|
||||
|
||||
sof_unregister_ipc_kernel_injector(sdev);
|
||||
|
||||
err_kernel_injector:
|
||||
sof_unregister_ipc_msg_injector(sdev);
|
||||
|
||||
err_msg_injector:
|
||||
|
@ -167,6 +200,7 @@ void sof_unregister_clients(struct snd_sof_dev *sdev)
|
|||
if (sof_ops(sdev) && sof_ops(sdev)->unregister_ipc_clients)
|
||||
sof_ops(sdev)->unregister_ipc_clients(sdev);
|
||||
|
||||
sof_unregister_ipc_kernel_injector(sdev);
|
||||
sof_unregister_ipc_msg_injector(sdev);
|
||||
sof_unregister_ipc_flood_test(sdev);
|
||||
}
|
||||
|
@ -269,6 +303,24 @@ int sof_client_ipc_tx_message(struct sof_client_dev *cdev, void *ipc_msg,
|
|||
}
|
||||
EXPORT_SYMBOL_NS_GPL(sof_client_ipc_tx_message, SND_SOC_SOF_CLIENT);
|
||||
|
||||
int sof_client_ipc_rx_message(struct sof_client_dev *cdev, void *ipc_msg, void *msg_buf)
|
||||
{
|
||||
if (cdev->sdev->pdata->ipc_type == SOF_IPC) {
|
||||
struct sof_ipc_cmd_hdr *hdr = ipc_msg;
|
||||
|
||||
if (hdr->size < sizeof(hdr)) {
|
||||
dev_err(cdev->sdev->dev, "The received message size is invalid\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
sof_ipc3_do_rx_work(cdev->sdev, ipc_msg, msg_buf);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
EXPORT_SYMBOL_NS_GPL(sof_client_ipc_rx_message, SND_SOC_SOF_CLIENT);
|
||||
|
||||
int sof_client_ipc_set_get_data(struct sof_client_dev *cdev, void *ipc_msg,
|
||||
bool set)
|
||||
{
|
||||
|
|
|
@ -75,5 +75,6 @@ int sof_client_register_fw_state_handler(struct sof_client_dev *cdev,
|
|||
sof_client_fw_state_callback callback);
|
||||
void sof_client_unregister_fw_state_handler(struct sof_client_dev *cdev);
|
||||
enum sof_fw_state sof_client_get_fw_state(struct sof_client_dev *cdev);
|
||||
int sof_client_ipc_rx_message(struct sof_client_dev *cdev, void *ipc_msg, void *msg_buf);
|
||||
|
||||
#endif /* __SOC_SOF_CLIENT_H */
|
||||
|
|
Загрузка…
Ссылка в новой задаче