Input: elan_i2c - validate firmware size before use

Ensure that the firmware file is large enough to contain the expected
number of pages and the signature (which resides at the end of the
firmware blob) before accessing them to prevent potential out-of-bounds
reads.

Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/ae2dOgiFvXRm4BHo@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
index 7475803c6ce49379b11be4aa388baf78415e7b46..5cba02a156ce4aa72c243820aa0716e1950ddd5c 100644 (file)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -648,6 +648,11 @@ static ssize_t elan_sysfs_update_fw(struct device *dev,
                return error;
        }
 
+       if (fw->size < data->fw_signature_address + sizeof(signature)) {
+               dev_err(dev, "firmware file too small\n");
+               return -EBADF;
+       }
+
        /* Firmware file must match signature data */
        fw_signature = &fw->data[data->fw_signature_address];
        if (memcmp(fw_signature, signature, sizeof(signature)) != 0) {