From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:55792 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751711AbdK1J6y (ORCPT ); Tue, 28 Nov 2017 04:58:54 -0500 Subject: Patch "ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data" has been added to the 3.18-stable tree To: rf@opensource.wolfsonmicro.com, alexander.levin@verizon.com, broonie@kernel.org, gregkh@linuxfoundation.org Cc: , From: Date: Tue, 28 Nov 2017 10:58:54 +0100 Message-ID: <15118631349889@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Tue Nov 28 10:58:31 CET 2017 From: Richard Fitzgerald Date: Tue, 20 Dec 2016 10:29:12 +0000 Subject: ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data From: Richard Fitzgerald [ Upstream commit 1cab2a84f470e15ecc8e5143bfe9398c6e888032 ] Protect against corrupt firmware files by ensuring that the length we get for the data in a region actually lies within the available firmware file data buffer. Signed-off-by: Richard Fitzgerald Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- sound/soc/codecs/wm_adsp.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) --- a/sound/soc/codecs/wm_adsp.c +++ b/sound/soc/codecs/wm_adsp.c @@ -532,7 +532,7 @@ static int wm_adsp_load(struct wm_adsp * const struct wmfw_region *region; const struct wm_adsp_region *mem; const char *region_name; - char *file, *text; + char *file, *text = NULL; struct wm_adsp_buf *buf; unsigned int reg; int regions = 0; @@ -677,10 +677,21 @@ static int wm_adsp_load(struct wm_adsp * regions, le32_to_cpu(region->len), offset, region_name); + if ((pos + le32_to_cpu(region->len) + sizeof(*region)) > + firmware->size) { + adsp_err(dsp, + "%s.%d: %s region len %d bytes exceeds file length %zu\n", + file, regions, region_name, + le32_to_cpu(region->len), firmware->size); + ret = -EINVAL; + goto out_fw; + } + if (text) { memcpy(text, region->data, le32_to_cpu(region->len)); adsp_info(dsp, "%s: %s\n", file, text); kfree(text); + text = NULL; } if (reg) { @@ -737,6 +748,7 @@ out_fw: regmap_async_complete(regmap); wm_adsp_buf_free(&buf_list); release_firmware(firmware); + kfree(text); out: kfree(file); @@ -1316,6 +1328,17 @@ static int wm_adsp_load_coeff(struct wm_ } if (reg) { + if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) > + firmware->size) { + adsp_err(dsp, + "%s.%d: %s region len %d bytes exceeds file length %zu\n", + file, blocks, region_name, + le32_to_cpu(blk->len), + firmware->size); + ret = -EINVAL; + goto out_fw; + } + buf = wm_adsp_buf_alloc(blk->data, le32_to_cpu(blk->len), &buf_list); Patches currently in stable-queue which might be from rf@opensource.wolfsonmicro.com are queue-3.18/asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch