From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C96F1DDCE; Tue, 16 Jul 2024 16:00:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721145658; cv=none; b=AmGhrZecdpdWt6YLm1YXltMQYzhQgMOQT4LPWzFAHaA98uFBTxCL8A47N1NObfH2jV+F59JBSHsuvFtp5R9G1jPgGpm1QoYA3rgABo7jW3CNv4ij9ZreP1DtSjy3kHuHRGoXvV+neu4NWKGded9ZzASBAx1aIUczD0EWMC7kJv4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721145658; c=relaxed/simple; bh=AHnGMIRGhlCDGYE4geJXOvM5VCoaDMVeNOW7CL6ZpeE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=te/5/HZKhU8GBZxisV2AKqd5AvLhE0aYUJS3T+Fk+kWH3Go6+GpkK+3s9T+Kf99LLmLEgO14mme6az5IJbjyVcuIzEomj5mpal1PLk/luUkLlKy0nElm8+jXtjy9TY0G4IBWTp0ZdvaUIuHpAiQnONkfEApY9xLxQn+B5JHbNC4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=p9t+5B7y; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="p9t+5B7y" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8DE6EC4AF0D; Tue, 16 Jul 2024 16:00:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1721145657; bh=AHnGMIRGhlCDGYE4geJXOvM5VCoaDMVeNOW7CL6ZpeE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p9t+5B7yVukKGxzrFGDcTn+7hmCDG09q0k5rdBEcKJ4tSrmorxzjx8ow5X5CuKMbK O6leNrDY7UDcKXz+0HZ+VMtFteMGLeb1kgZhAmP3Rs2gfYObfsvcq+Y+xO6nIHfqDN iq2D3l5ucVQAyZ+uAUch4K9LqMxJ2nI1UTHoiv0o= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Richard Fitzgerald , Mark Brown , Sasha Levin Subject: [PATCH 6.6 040/121] firmware: cs_dsp: Validate payload length before processing block Date: Tue, 16 Jul 2024 17:31:42 +0200 Message-ID: <20240716152752.866238620@linuxfoundation.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240716152751.312512071@linuxfoundation.org> References: <20240716152751.312512071@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Richard Fitzgerald [ Upstream commit 6598afa9320b6ab13041616950ca5f8f938c0cf1 ] Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load() to be done before the block is processed. The check that the length of a block payload does not exceed the number of remaining bytes in the firwmware file buffer was being done near the end of the loop iteration. However, some code before that check used the length field without validating it. Signed-off-by: Richard Fitzgerald Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs") Link: https://patch.msgid.link/20240627141432.93056-4-rf@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin --- drivers/firmware/cirrus/cs_dsp.c | 36 +++++++++++++------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c index 28d24cf4456da..031fd3e4045ec 100644 --- a/drivers/firmware/cirrus/cs_dsp.c +++ b/drivers/firmware/cirrus/cs_dsp.c @@ -1398,6 +1398,12 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, } region = (void *)&(firmware->data[pos]); + + if (le32_to_cpu(region->len) > firmware->size - pos - sizeof(*region)) { + ret = -EOVERFLOW; + goto out_fw; + } + region_name = "Unknown"; reg = 0; text = NULL; @@ -1454,16 +1460,6 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, regions, le32_to_cpu(region->len), offset, region_name); - if (le32_to_cpu(region->len) > - firmware->size - pos - sizeof(*region)) { - cs_dsp_err(dsp, - "%s.%d: %s region len %d bytes exceeds file length %zu\n", - file, regions, region_name, - le32_to_cpu(region->len), firmware->size); - ret = -EINVAL; - goto out_fw; - } - if (text) { memcpy(text, region->data, le32_to_cpu(region->len)); cs_dsp_info(dsp, "%s: %s\n", file, text); @@ -2093,6 +2089,11 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware blk = (void *)(&firmware->data[pos]); + if (le32_to_cpu(blk->len) > firmware->size - pos - sizeof(*blk)) { + ret = -EOVERFLOW; + goto out_fw; + } + type = le16_to_cpu(blk->type); offset = le16_to_cpu(blk->offset); version = le32_to_cpu(blk->ver) >> 8; @@ -2189,17 +2190,6 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware } if (reg) { - if (le32_to_cpu(blk->len) > - firmware->size - pos - sizeof(*blk)) { - cs_dsp_err(dsp, - "%s.%d: %s region len %d bytes exceeds file length %zu\n", - file, blocks, region_name, - le32_to_cpu(blk->len), - firmware->size); - ret = -EINVAL; - goto out_fw; - } - buf = cs_dsp_buf_alloc(blk->data, le32_to_cpu(blk->len), &buf_list); @@ -2239,6 +2229,10 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware regmap_async_complete(regmap); cs_dsp_buf_free(&buf_list); kfree(text); + + if (ret == -EOVERFLOW) + cs_dsp_err(dsp, "%s: file content overflows file data\n", file); + return ret; } -- 2.43.0