git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Ping-Ke Shih <pkshih@realtek.com>
	Mon, 3 Feb 2025 07:29:10 +0000 (15:29 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 29 May 2025 09:13:35 +0000 (11:13 +0200)
commit	74589f157f17a574e8fd33e47c7b3ada2b67e713
tree	a7f0e296a0a52327e30cae3afb82110f0333b73d	tree
parent	67bbb66ee88a8b5367b4fd3a08160d66a0d9e070	commit \| diff

wifi: rtw89: fw: validate multi-firmware header before accessing

[ Upstream commit 1f0efffd597893404aea5c3d4f1bdaa1c61d4434 ]

A firmeware file contains multi-firmware with a header to represent
contents. The mfw_hdr->fw_nr is to define number of firmware in file.

         +-----+-------+------+---------+--------------+
         | sig | fw_nr | rsvd | version | reserved     |
         +---------------------------------------------+ --
fw 0    | cv | type | mp | rsvd | shift | size | rsvd |   \
         +---------------------------------------------+   |
fw 1    | cv | type | mp | rsvd | shift | size | rsvd |   | mfw_hdr->fw_nr
         +---------------------------------------------+   |
fw N-1  |                  ...                        |   /
         +=============================================+ --
         |               fw 0 content                  |
         |       (pointed by fw0 shift/size)           |
         +=============================================+

To avoid Coverity warning, validate header is in range of firmware size,
and also validate the range of actual firmware content is in range.

Addresses-Coverity-ID: 1494046 ("Untrusted loop bound")

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250203072911.47313-4-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>