firmware: cs_dsp: Validate payload length before processing block

author Richard Fitzgerald <rf@opensource.cirrus.com>

Thu, 27 Jun 2024 14:14:31 +0000 (15:14 +0100)

committer Mark Brown <broonie@kernel.org>

Mon, 1 Jul 2024 13:10:24 +0000 (14:10 +0100)
author Richard Fitzgerald <rf@opensource.cirrus.com>
Thu, 27 Jun 2024 14:14:31 +0000 (15:14 +0100)
committer Mark Brown <broonie@kernel.org>
Mon, 1 Jul 2024 13:10:24 +0000 (14:10 +0100)
diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c

index 47cf91be99a1364fe8ef43a42384b38d2fa2ab3c..13ff08870d698e3ddfca42c2779566b1f33ba729 100644 (file)
--- a/drivers/firmware/cirrus/cs_dsp.c
+++ b/drivers/firmware/cirrus/cs_dsp.c
@@ -1452,6 +1452,12 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware,
                 }
  
                 region = (void *)&(firmware->data[pos]);
+
+               if (le32_to_cpu(region->len) > firmware->size - pos - sizeof(*region)) {
+                       ret = -EOVERFLOW;
+                       goto out_fw;
+               }
+
                 region_name = "Unknown";
                 reg = 0;
                 text = NULL;
@@ -1508,16 +1514,6 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware,
                            regions, le32_to_cpu(region->len), offset,
                            region_name);
  
-               if (le32_to_cpu(region->len) >
-                   firmware->size - pos - sizeof(*region)) {
-                       cs_dsp_err(dsp,
-                                  "%s.%d: %s region len %d bytes exceeds file length %zu\n",
-                                  file, regions, region_name,
-                                  le32_to_cpu(region->len), firmware->size);
-                       ret = -EINVAL;
-                       goto out_fw;
-               }
-
                 if (text) {
                         memcpy(text, region->data, le32_to_cpu(region->len));
                         cs_dsp_info(dsp, "%s: %s\n", file, text);
@@ -2147,6 +2143,11 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware
  
                 blk = (void *)(&firmware->data[pos]);
  
+               if (le32_to_cpu(blk->len) > firmware->size - pos - sizeof(*blk)) {
+                       ret = -EOVERFLOW;
+                       goto out_fw;
+               }
+
                 type = le16_to_cpu(blk->type);
                 offset = le16_to_cpu(blk->offset);
                 version = le32_to_cpu(blk->ver) >> 8;
@@ -2243,17 +2244,6 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware
                 }
  
                 if (reg) {
-                       if (le32_to_cpu(blk->len) >
-                           firmware->size - pos - sizeof(*blk)) {
-                               cs_dsp_err(dsp,
-                                          "%s.%d: %s region len %d bytes exceeds file length %zu\n",
-                                          file, blocks, region_name,
-                                          le32_to_cpu(blk->len),
-                                          firmware->size);
-                               ret = -EINVAL;
-                               goto out_fw;
-                       }
-
                         buf = cs_dsp_buf_alloc(blk->data,
                                                le32_to_cpu(blk->len),
                                                &buf_list);
@@ -2293,6 +2283,10 @@ out_fw:
         regmap_async_complete(regmap);
         cs_dsp_buf_free(&buf_list);
         kfree(text);
+
+       if (ret == -EOVERFLOW)
+               cs_dsp_err(dsp, "%s: file content overflows file data\n", file);
+
         return ret;
  }
author	Richard Fitzgerald <rf@opensource.cirrus.com>
	Thu, 27 Jun 2024 14:14:31 +0000 (15:14 +0100)
committer	Mark Brown <broonie@kernel.org>
	Mon, 1 Jul 2024 13:10:24 +0000 (14:10 +0100)