ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()

If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.

Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension")
Signed-off-by: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/ZQSr15AYJpDpipg6@work
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c
index bf91c8786162969fa803a7883970375555dc6210..af90c14ad57af7a6d252f5fd5a06267b1d04ea79 100644 (file)
--- a/sound/soc/sof/ipc4-topology.c
+++ b/sound/soc/sof/ipc4-topology.c
@@ -895,7 +895,8 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget)
        if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) {
                struct sof_ipc4_base_module_cfg_ext *base_cfg_ext;
                u32 ext_size = struct_size(base_cfg_ext, pin_formats,
-                                               swidget->num_input_pins + swidget->num_output_pins);
+                                          size_add(swidget->num_input_pins,
+                                                   swidget->num_output_pins));
 
                base_cfg_ext = kzalloc(ext_size, GFP_KERNEL);
                if (!base_cfg_ext) {