From: sashiko-bot@kernel.org
To: "Ben Levinsky" <ben.levinsky@amd.com>
Cc: imx@lists.linux.dev, wsa+renesas@sang-engineering.com,
Frank.Li@kernel.org
Subject: Re: [PATCH v2 5/5] remoteproc: switch drivers to optional resource-table helper
Date: Thu, 14 May 2026 22:14:55 +0000 [thread overview]
Message-ID: <20260514221455.A97F1C2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260514162129.1504162-6-ben.levinsky@amd.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] This problem wasn't introduced by this patch, but an integer overflow in ELF segment bounds checking in `imx_dsp_rproc_elf_load_segments()` allows an attacker to bypass validations and perform an out-of-bounds read. `offset` and `filesz` are 64-bit values (`u64`) parsed directly from ELF program headers. The boundary check `if (offset + filesz > fw->size)` lacks protection against integer overflow. A malicious or corrupted firmware can supply a massive `offset` (e.g., 0xFFFFFFFFFFFFFFFE) and a small `filesz` (e.g., 0x10), causing `offset + filesz` to wrap around to a small integer (0x0E). This bypasses the `> fw->size` check. The code then executes `imx_dsp_rproc_memcpy(ptr, elf_data + offset, filesz);`, where pointer arithmetic on `elf_data + offset` resolves outside the firmware buffer, resulting in an out-of-bounds read that leaks kernel memory or causes a kernel panic.
--
commit 71c8dfba5336b57c340ad4c8970a2211c5b78f4f
Author: Ben Levinsky <ben.levinsky@amd.com>
remoteproc: switch drivers to optional resource-table helper
This commit switches several remoteproc drivers to use the shared optional
resource-table helper for firmware that treats a missing resource table as
non-fatal. It retains local parse_fw() wrappers to manage return-value
logging and severity.
> diff --git a/drivers/remoteproc/imx_dsp_rproc.c b/drivers/remoteproc/imx_dsp_rproc.c
> index 2d9f14fbef1da..2ff74f7938f61 100644
> --- a/drivers/remoteproc/imx_dsp_rproc.c
> +++ b/drivers/remoteproc/imx_dsp_rproc.c
> @@ -954,14 +954,6 @@ static int imx_dsp_rproc_elf_load_segments(struct rproc *rproc, const struct fir
> return ret;
> }
This problem wasn't introduced by this patch, but while reviewing
imx_dsp_rproc_elf_load_segments(), I noticed a potential integer overflow
in the ELF segment bounds checking.
Since offset and filesz are 64-bit values (u64) parsed directly from the
ELF program headers, does this code overflow offset + filesz?
drivers/remoteproc/imx_dsp_rproc.c:imx_dsp_rproc_elf_load_segments() {
...
if (offset + filesz > fw->size) {
dev_err(dev, "truncated fw: need 0x%llx avail 0x%zx\n",
offset + filesz, fw->size);
ret = -EINVAL;
break;
}
...
if (filesz) {
ret = imx_dsp_rproc_memcpy(ptr, elf_data + offset, filesz);
...
}
A malicious or corrupted firmware could supply a massive offset
(e.g., 0xFFFFFFFFFFFFFFFE) and a small filesz (e.g., 0x10).
This would cause offset + filesz to wrap around to a small integer (0x0E),
bypassing the bounds check.
Could this lead to pointer arithmetic on elf_data + offset resolving
outside the firmware buffer, resulting in an out-of-bounds read during
the memcpy?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260514162129.1504162-1-ben.levinsky@amd.com?part=5
prev parent reply other threads:[~2026-05-14 22:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 16:21 [PATCH v2 0/5] remoteproc: cleanup shared carveout and resource-table helpers Ben Levinsky
2026-05-14 16:21 ` [PATCH v2 1/5] remoteproc: add common wc-ioremap carveout callbacks Ben Levinsky
2026-05-14 16:21 ` [PATCH v2 2/5] remoteproc: switch exact-match drivers to wc-ioremap callbacks Ben Levinsky
2026-05-14 21:00 ` sashiko-bot
2026-05-14 16:21 ` [PATCH v2 3/5] remoteproc: mark wc-ioremap carveouts as iomem Ben Levinsky
2026-05-14 21:48 ` sashiko-bot
2026-05-14 16:21 ` [PATCH v2 4/5] remoteproc: add helper for optional ELF resource tables Ben Levinsky
2026-05-14 16:21 ` [PATCH v2 5/5] remoteproc: switch drivers to optional resource-table helper Ben Levinsky
2026-05-14 22:14 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514221455.A97F1C2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=ben.levinsky@amd.com \
--cc=imx@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox