From: Mike Frysinger <vapier@gentoo.org>
To: Lars-Peter Clausen <lars@metafoo.de>
Cc: drivers@analog.com, alsa-devel@alsa-project.org,
Mark Brown <broonie@opensource.wolfsonmicro.com>,
linux-kernel@vger.kernel.org, stable@kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Liam Girdwood <lrg@ti.com>
Subject: Re: [PATCH 1/8] firmware: Sigma: Prevent out of bounds memory access
Date: Thu, 24 Nov 2011 12:26:21 -0500 [thread overview]
Message-ID: <201111241226.23405.vapier@gentoo.org> (raw)
In-Reply-To: <1322138908-32127-1-git-send-email-lars@metafoo.de>
[-- Attachment #1.1: Type: Text/Plain, Size: 1197 bytes --]
On Thursday 24 November 2011 07:48:20 Lars-Peter Clausen wrote:
> The SigmaDSP firmware loader currently does not perform enough boundary
> size checks when processing the firmware. As a result it is possible that
> a malformed firmware can cause an out of bounds memory access.
>
> This patch adds checks which ensure that both the action header and the
> payload are completely inside the firmware data boundaries before
> processing them.
in general this looks fine ...
> --- a/drivers/firmware/sigma.c
> +++ b/drivers/firmware/sigma.c
>
> -/* Return: 0==OK, <0==error, =1 ==no more actions */
> static int
> +process_sigma_action(struct i2c_client *client, struct
> sigma_action *sa)
looks like you're inverting the semantics of this func. i'd add an updated
comment above the func to document the new return values.
> + /* Reject too small or unreasonable large files. The upper limit is
> + * chosen a bit arbitrarily but it should be enough for all practical
> + * purposes and having the limit makes it easier to avoid integer
> + * overflows later in the loading process. */
multi-line comment style:
/*
* line one
* line two
*/
-mike
[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Mike Frysinger <vapier@gentoo.org>
To: "Lars-Peter Clausen" <lars@metafoo.de>
Cc: Mark Brown <broonie@opensource.wolfsonmicro.com>,
Liam Girdwood <lrg@ti.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
drivers@analog.com, stable@kernel.org
Subject: Re: [PATCH 1/8] firmware: Sigma: Prevent out of bounds memory access
Date: Thu, 24 Nov 2011 12:26:21 -0500 [thread overview]
Message-ID: <201111241226.23405.vapier@gentoo.org> (raw)
In-Reply-To: <1322138908-32127-1-git-send-email-lars@metafoo.de>
[-- Attachment #1: Type: Text/Plain, Size: 1197 bytes --]
On Thursday 24 November 2011 07:48:20 Lars-Peter Clausen wrote:
> The SigmaDSP firmware loader currently does not perform enough boundary
> size checks when processing the firmware. As a result it is possible that
> a malformed firmware can cause an out of bounds memory access.
>
> This patch adds checks which ensure that both the action header and the
> payload are completely inside the firmware data boundaries before
> processing them.
in general this looks fine ...
> --- a/drivers/firmware/sigma.c
> +++ b/drivers/firmware/sigma.c
>
> -/* Return: 0==OK, <0==error, =1 ==no more actions */
> static int
> +process_sigma_action(struct i2c_client *client, struct
> sigma_action *sa)
looks like you're inverting the semantics of this func. i'd add an updated
comment above the func to document the new return values.
> + /* Reject too small or unreasonable large files. The upper limit is
> + * chosen a bit arbitrarily but it should be enough for all practical
> + * purposes and having the limit makes it easier to avoid integer
> + * overflows later in the loading process. */
multi-line comment style:
/*
* line one
* line two
*/
-mike
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2011-11-24 17:26 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-24 12:48 [PATCH 1/8] firmware: Sigma: Prevent out of bounds memory access Lars-Peter Clausen
2011-11-24 12:48 ` Lars-Peter Clausen
2011-11-24 12:48 ` [PATCH 2/8] firmware: Sigma: Skip header during CRC generation Lars-Peter Clausen
2011-11-24 12:48 ` Lars-Peter Clausen
2011-11-24 17:21 ` Mike Frysinger
2011-11-25 8:55 ` Lars-Peter Clausen
2011-11-25 8:55 ` Lars-Peter Clausen
2011-11-25 20:00 ` Mike Frysinger
2011-11-25 20:00 ` Mike Frysinger
2011-11-28 7:56 ` Lars-Peter Clausen
2011-11-28 7:56 ` Lars-Peter Clausen
2011-11-29 5:11 ` Mike Frysinger
2011-11-29 5:11 ` Mike Frysinger
2011-11-24 12:48 ` [PATCH 3/8] firmware: Sigma: Fix endianess issues Lars-Peter Clausen
2011-11-24 12:48 ` Lars-Peter Clausen
2011-11-24 17:20 ` Mike Frysinger
2011-11-24 17:20 ` Mike Frysinger
2011-11-24 12:48 ` [PATCH 4/8] firmware: Sigma: Mark firmware strutcs packed Lars-Peter Clausen
2011-11-24 12:48 ` Lars-Peter Clausen
2011-11-24 17:19 ` Mike Frysinger
2011-11-25 10:48 ` Lars-Peter Clausen
2011-11-25 20:07 ` Mike Frysinger
2011-11-25 20:07 ` Mike Frysinger
2011-11-24 12:48 ` [PATCH 5/8] ASoC: Move SigmaDSP firmware loader to ASoC Lars-Peter Clausen
2011-11-24 12:48 ` Lars-Peter Clausen
2011-11-24 13:15 ` [PATCH v2 " Lars-Peter Clausen
2011-11-24 13:15 ` Lars-Peter Clausen
2011-11-24 17:31 ` Mike Frysinger
2011-11-24 17:31 ` Mike Frysinger
2011-11-24 12:48 ` [PATCH 6/8] ASoC: SigmaDSP: Provide diagnostic error messages Lars-Peter Clausen
2011-11-24 12:48 ` Lars-Peter Clausen
2011-11-24 17:32 ` Mike Frysinger
2011-11-24 17:32 ` Mike Frysinger
2011-11-25 8:59 ` Lars-Peter Clausen
2011-11-25 8:59 ` Lars-Peter Clausen
2011-11-25 20:02 ` Mike Frysinger
2011-11-24 12:48 ` [PATCH 7/8] ASoC: SigmaDSP: Move private structs and functions to c file Lars-Peter Clausen
2011-11-24 12:48 ` Lars-Peter Clausen
2011-11-24 17:31 ` Mike Frysinger
2011-11-24 17:31 ` Mike Frysinger
2011-11-24 12:48 ` [PATCH 8/8] ASoC: SigmaDSP: Add regmap support Lars-Peter Clausen
2011-11-24 12:48 ` Lars-Peter Clausen
2011-11-24 17:30 ` Mike Frysinger
2011-11-25 9:00 ` Lars-Peter Clausen
2011-11-25 9:00 ` Lars-Peter Clausen
2011-11-24 17:26 ` Mike Frysinger [this message]
2011-11-24 17:26 ` [PATCH 1/8] firmware: Sigma: Prevent out of bounds memory access Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201111241226.23405.vapier@gentoo.org \
--to=vapier@gentoo.org \
--cc=akpm@linux-foundation.org \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@opensource.wolfsonmicro.com \
--cc=drivers@analog.com \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=lrg@ti.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.