ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data

author Richard Fitzgerald <rf@opensource.wolfsonmicro.com>

Tue, 20 Dec 2016 10:29:12 +0000 (10:29 +0000)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 30 Nov 2017 08:35:55 +0000 (08:35 +0000)
author Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
Tue, 20 Dec 2016 10:29:12 +0000 (10:29 +0000)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 30 Nov 2017 08:35:55 +0000 (08:35 +0000)
diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c

index 7f2f661c6453717eb84643506675e8909332d119..d53bfd4d0ada24a56b6b1c4a9ce76a2af5e9eec9 100644 (file)
--- a/sound/soc/codecs/wm_adsp.c
+++ b/sound/soc/codecs/wm_adsp.c
@@ -532,7 +532,7 @@ static int wm_adsp_load(struct wm_adsp *dsp)
         const struct wmfw_region *region;
         const struct wm_adsp_region *mem;
         const char *region_name;
-       char *file, *text;
+       char *file, *text = NULL;
         struct wm_adsp_buf *buf;
         unsigned int reg;
         int regions = 0;
@@ -677,10 +677,21 @@ static int wm_adsp_load(struct wm_adsp *dsp)
                          regions, le32_to_cpu(region->len), offset,
                          region_name);
  
+               if ((pos + le32_to_cpu(region->len) + sizeof(*region)) >
+                   firmware->size) {
+                       adsp_err(dsp,
+                                "%s.%d: %s region len %d bytes exceeds file length %zu\n",
+                                file, regions, region_name,
+                                le32_to_cpu(region->len), firmware->size);
+                       ret = -EINVAL;
+                       goto out_fw;
+               }
+
                 if (text) {
                         memcpy(text, region->data, le32_to_cpu(region->len));
                         adsp_info(dsp, "%s: %s\n", file, text);
                         kfree(text);
+                       text = NULL;
                 }
  
                 if (reg) {
@@ -737,6 +748,7 @@ out_fw:
         regmap_async_complete(regmap);
         wm_adsp_buf_free(&buf_list);
         release_firmware(firmware);
+       kfree(text);
  out:
         kfree(file);
  
@@ -1316,6 +1328,17 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp)
                 }
  
                 if (reg) {
+                       if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) >
+                           firmware->size) {
+                               adsp_err(dsp,
+                                        "%s.%d: %s region len %d bytes exceeds file length %zu\n",
+                                        file, blocks, region_name,
+                                        le32_to_cpu(blk->len),
+                                        firmware->size);
+                               ret = -EINVAL;
+                               goto out_fw;
+                       }
+
                         buf = wm_adsp_buf_alloc(blk->data,
                                                 le32_to_cpu(blk->len),
                                                 &buf_list);
author	Richard Fitzgerald <rf@opensource.wolfsonmicro.com>
	Tue, 20 Dec 2016 10:29:12 +0000 (10:29 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 30 Nov 2017 08:35:55 +0000 (08:35 +0000)