]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c79aa03)
Input: ims-pcu - check record size in ims_pcu_flash_firmware()
authorDan Carpenter <dan.carpenter@linaro.org>
Fri, 30 May 2025 23:13:32 +0000 (16:13 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 27 Jun 2025 10:04:13 +0000 (11:04 +0100)
commit a95ef0199e80f3384eb992889322957d26c00102 upstream.

The "len" variable comes from the firmware and we generally do
trust firmware, but it's always better to double check.  If the "len"
is too large it could result in memory corruption when we do
"memcpy(fragment->data, rec->data, len);"

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/131fd1ae92c828ee9f4fa2de03d8c210ae1f3524.1748463049.git.dan.carpenter@linaro.org
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/input/misc/ims-pcu.c patch | blob | blame | history

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index e5cb20e7f57b1fe747db6d73b048e749c0b41527..7ced98d07431c30f6a6546188c8d43f9dbb0b503 100644 (file)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -845,6 +845,12 @@ static int ims_pcu_flash_firmware(struct ims_pcu *pcu,
                addr = be32_to_cpu(rec->addr) / 2;
                len = be16_to_cpu(rec->len);
 
+               if (len > sizeof(pcu->cmd_buf) - 1 - sizeof(*fragment)) {
+                       dev_err(pcu->dev,
+                               "Invalid record length in firmware: %d\n", len);
+                       return -EINVAL;
+               }
+
                fragment = (void *)&pcu->cmd_buf[1];
                put_unaligned_le32(addr, &fragment->addr);
                fragment->len = len;
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git