| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Jun 2020 14:47:31 +0900
From: Steve Lee <steves.lee@...imintegrated.com>
To: lgirdwood@...il.com, broonie@...nel.org, perex@...ex.cz,
tiwai@...e.com, ckeepax@...nsource.cirrus.com,
geert@...ux-m68k.org, rf@...nsource.wolfsonmicro.com,
shumingf@...ltek.com, srinivas.kandagatla@...aro.org,
krzk@...nel.org, dmurphy@...com, jack.yu@...ltek.com,
nuno.sa@...log.com, steves.lee@...imintegrated.com,
linux-kernel@...r.kernel.org, alsa-devel@...a-project.org
Cc: ryan.lee.maxim@...il.com, ryans.lee@...imintegrated.com,
steves.lee.maxim@...il.com
Subject: [v2 PATCH] ASoC: max98390: Fix potential crash during param fw loading
malformed firmware file can cause out-of-bound access and crash
during dsm_param bin loading.
- add MIN/MAX param size to avoid out-of-bound access.
- read start addr and size of param and check bound.
- add condition that fw->size > param_size + _PAYLOAD_OFFSET
to confirm enough data.
Signed-off-by: Steve Lee <steves.lee@...imintegrated.com>
---
Change log v2:
* add condtion that param_size + _PAYLOAD_OFFSET is less than fw->size
to confirm enough data
* remove unintended code
sound/soc/codecs/max98390.c | 24 ++++++++++++++++++++----
sound/soc/codecs/max98390.h | 3 ++-
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/sound/soc/codecs/max98390.c b/sound/soc/codecs/max98390.c
index be7cd0aeb6a6..0d63ebfbff2f 100644
--- a/sound/soc/codecs/max98390.c
+++ b/sound/soc/codecs/max98390.c
@@ -754,6 +754,7 @@ static struct snd_soc_dai_driver max98390_dai[] = {
static int max98390_dsm_init(struct snd_soc_component *component)
{
int ret;
+ int param_size, param_start_addr;
char filename[128];
const char *vendor, *product;
struct max98390_priv *max98390 =
@@ -780,14 +781,29 @@ static int max98390_dsm_init(struct snd_soc_component *component)
dev_dbg(component->dev,
"max98390: param fw size %zd\n",
fw->size);
+ if (fw->size < MAX98390_DSM_PARAM_MIN_SIZE) {
+ dev_err(component->dev,
+ "param fw is invalid.\n");
+ goto err_alloc;
+ }
dsm_param = (char *)fw->data;
+ param_start_addr = (dsm_param[0] & 0xff) | (dsm_param[1] & 0xff) << 8;
+ param_size = (dsm_param[2] & 0xff) | (dsm_param[3] & 0xff) << 8;
+ if (param_size > MAX98390_DSM_PARAM_MAX_SIZE ||
+ param_start_addr < DSM_STBASS_HPF_B0_BYTE0 ||
+ fw->size < param_size + MAX98390_DSM_PAYLOAD_OFFSET) {
+ dev_err(component->dev,
+ "param fw is invalid.\n");
+ goto err_alloc;
+ }
+ regmap_write(max98390->regmap, MAX98390_R203A_AMP_EN, 0x80);
dsm_param += MAX98390_DSM_PAYLOAD_OFFSET;
- regmap_bulk_write(max98390->regmap, DSM_EQ_BQ1_B0_BYTE0,
- dsm_param,
- fw->size - MAX98390_DSM_PAYLOAD_OFFSET);
- release_firmware(fw);
+ regmap_bulk_write(max98390->regmap, param_start_addr,
+ dsm_param, param_size);
regmap_write(max98390->regmap, MAX98390_R23E1_DSP_GLOBAL_EN, 0x01);
+err_alloc:
+ release_firmware(fw);
err:
return ret;
}
diff --git a/sound/soc/codecs/max98390.h b/sound/soc/codecs/max98390.h
index f59cb114d957..5f444e7779b0 100644
--- a/sound/soc/codecs/max98390.h
+++ b/sound/soc/codecs/max98390.h
@@ -650,7 +650,8 @@
/* DSM register offset */
#define MAX98390_DSM_PAYLOAD_OFFSET 16
-#define MAX98390_DSM_PAYLOAD_OFFSET_2 495
+#define MAX98390_DSM_PARAM_MAX_SIZE 770
+#define MAX98390_DSM_PARAM_MIN_SIZE 670
struct max98390_priv {
struct regmap *regmap;
--
2.17.1
Powered by blists - more mailing lists