ipc3: bound host page count before page table DMA and parsing

The host-supplied ring->pages drives both the page table DMA transfer length (20 bits per page) and the DSP-side descriptor allocations, but only ring->size was sanity checked. A large page count could overflow the fixed-size page table buffer and wrap the page-count multiplication. Reject a zero or too-large page count at the single entry point before any use.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

src/ipc/ipc3/host-page-table.c

@@ -216,6 +216,22 @@ int ipc_process_host_buffer(struct ipc *ipc,
 	struct ipc_data_host_buffer *data_host_buffer;
 	int err;
 
+	/*
+	 * The host-supplied page count is used both to size DSP-side
+	 * allocations and to compute the DMA transfer length for the
+	 * compressed page table (20 bits per page). The destination
+	 * page_table buffer is a fixed PLATFORM_PAGE_TABLE_SIZE allocation,
+	 * so reject any count that would not fit before doing any
+	 * arithmetic that could overflow (ring->pages * 20). pages == 0 is
+	 * also invalid and would underflow the ring->size sanity check
+	 * below in ipc_parse_page_descriptors().
+	 */
+	if (ring->pages == 0 ||
+	    ring->pages > PLATFORM_PAGE_TABLE_SIZE * 8 / 20) {
+		tr_err(&ipc_tr, "ipc: invalid page count %u", ring->pages);
+		return -EINVAL;
+	}
+
 	data_host_buffer = ipc_platform_get_host_buffer(ipc);
 	dma_sg_init(elem_array);