From 42d7ba8c9186c6c2a26db2804f6b9f452aae11e2 Mon Sep 17 00:00:00 2001 From: Adrian Bonislawski Date: Tue, 9 Jun 2026 10:06:32 +0200 Subject: [PATCH] audio: copier: avoid serializing uninitialized stream position to host copier_get_configuration() returns LLP/position data to the host over IPC4 for IPC4_COPIER_MODULE_CFG_PARAM_LLP_READING and _EXTENDED. It declared the source 'posn' on the stack without initialization and called comp_position() ignoring its return value. On Zephyr-native DAI builds dai_common_position() writes posn.comp_posn only after a successful dma_get_status(); on a DMA-status error it returns early, leaving comp_posn uninitialized. The unchecked return then let convert_u64_to_u32s() serialize uninitialized stack bytes into the host reply (information disclosure) and report a fabricated stream position. Signed-off-by: Adrian Bonislawski --- src/audio/copier/copier.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/audio/copier/copier.c b/src/audio/copier/copier.c index 93e018408bf3..11e4d2a23751 100644 --- a/src/audio/copier/copier.c +++ b/src/audio/copier/copier.c @@ -930,8 +930,9 @@ __cold static int copier_get_configuration(struct processing_module *mod, struct copier_data *cd = module_get_private_data(mod); struct ipc4_llp_reading_extended llp_ext; struct comp_dev *dev = mod->dev; - struct sof_ipc_stream_posn posn; + struct sof_ipc_stream_posn posn = { 0 }; struct ipc4_llp_reading llp; + int ret; assert_can_be_cold(); @@ -961,7 +962,9 @@ __cold static int copier_get_configuration(struct processing_module *mod, } /* get llp from dai */ - comp_position(dev, &posn); + ret = comp_position(dev, &posn); + if (ret < 0) + return ret; convert_u64_to_u32s(posn.comp_posn, &llp.llp_l, &llp.llp_u); convert_u64_to_u32s(posn.wallclock, &llp.wclk_l, &llp.wclk_u); @@ -991,7 +994,9 @@ __cold static int copier_get_configuration(struct processing_module *mod, } /* get llp from dai */ - comp_position(dev, &posn); + ret = comp_position(dev, &posn); + if (ret < 0) + return ret; convert_u64_to_u32s(posn.comp_posn, &llp_ext.llp_reading.llp_l, &llp_ext.llp_reading.llp_u);