Unverified Commit 3d632df6 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!10385 firmware: cs_dsp: Fix overflow checking of wmfw header 

Merge Pull Request from: @ci-robot 
 
PR sync from: Yipeng Zou <zouyipeng@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/CIHXQWWZR46UYLCEXQVCZFAFCKRVC3KE/ 
 
https://gitee.com/src-openeuler/kernel/issues/IAGEMJ 
 
Link:https://gitee.com/openeuler/kernel/pulls/10385

 

Reviewed-by: default avatarZhang Jianhua <chris.zjh@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 5ed8ff86 c9663eab

drivers/firmware/cirrus/cs_dsp.c

+18 −7
Original line number Diff line number Diff line
@@ -1267,6 +1267,10 @@ static unsigned int cs_dsp_adsp1_parse_sizes(struct cs_dsp *dsp, 
	const struct wmfw_adsp1_sizes *adsp1_sizes;



	adsp1_sizes = (void *)&firmware->data[pos];

	if (sizeof(*adsp1_sizes) > firmware->size - pos) {

		cs_dsp_err(dsp, "%s: file truncated\n", file);

		return 0;

	}



	cs_dsp_dbg(dsp, "%s: %d DM, %d PM, %d ZM\n", file,

		   le32_to_cpu(adsp1_sizes->dm), le32_to_cpu(adsp1_sizes->pm),
@@ -1283,6 +1287,10 @@ static unsigned int cs_dsp_adsp2_parse_sizes(struct cs_dsp *dsp, 
	const struct wmfw_adsp2_sizes *adsp2_sizes;



	adsp2_sizes = (void *)&firmware->data[pos];

	if (sizeof(*adsp2_sizes) > firmware->size - pos) {

		cs_dsp_err(dsp, "%s: file truncated\n", file);

		return 0;

	}



	cs_dsp_dbg(dsp, "%s: %d XM, %d YM %d PM, %d ZM\n", file,

		   le32_to_cpu(adsp2_sizes->xm), le32_to_cpu(adsp2_sizes->ym),
@@ -1322,7 +1330,6 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, 
	struct regmap *regmap = dsp->regmap;

	unsigned int pos = 0;

	const struct wmfw_header *header;

	const struct wmfw_adsp1_sizes *adsp1_sizes;

	const struct wmfw_footer *footer;

	const struct wmfw_region *region;

	const struct cs_dsp_region *mem;
@@ -1338,10 +1345,8 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, 


	ret = -EINVAL;



	pos = sizeof(*header) + sizeof(*adsp1_sizes) + sizeof(*footer);

	if (pos >= firmware->size) {

		cs_dsp_err(dsp, "%s: file too short, %zu bytes\n",

			   file, firmware->size);

	if (sizeof(*header) >= firmware->size) {

		ret = -EOVERFLOW;

		goto out_fw;

	}
@@ -1369,13 +1374,16 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, 


	pos = sizeof(*header);

	pos = dsp->ops->parse_sizes(dsp, file, pos, firmware);

	if ((pos == 0) || (sizeof(*footer) > firmware->size - pos)) {

		ret = -EOVERFLOW;

		goto out_fw;

	}



	footer = (void *)&firmware->data[pos];

	pos += sizeof(*footer);



	if (le32_to_cpu(header->len) != pos) {

		cs_dsp_err(dsp, "%s: unexpected header length %d\n",

			   file, le32_to_cpu(header->len));

		ret = -EOVERFLOW;

		goto out_fw;

	}
@@ -1501,6 +1509,9 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, 
	cs_dsp_buf_free(&buf_list);

	kfree(text);



	if (ret == -EOVERFLOW)

		cs_dsp_err(dsp, "%s: file content overflows file data\n", file);



	return ret;

}