Received: by 10.223.185.116 with SMTP id b49csp6403220wrg; Wed, 28 Feb 2018 08:50:54 -0800 (PST) X-Google-Smtp-Source: AH8x226EJyaNgYqrvSrQFY/E2qMK3d1t6i7L/5a40RvLXFXyhUJvi6MvC8YCWPgVnOcrsnJQiVC+ X-Received: by 10.98.33.4 with SMTP id h4mr18184553pfh.144.1519836654361; Wed, 28 Feb 2018 08:50:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519836654; cv=none; d=google.com; s=arc-20160816; b=vdGfz5RYcos6L8cino5po8VcIwFyaAGZ0+YCrLPAKOpj7jTLfNxOCw+dH6LWFShPD0 NgdJY2V+UsGTXIAcHRy89wnTVU96g6qP32Sp8c26xAU6grd55RqO52rjr7Qsl70/L5Ip cPxGfvt89p/6vmOEE32elqdBBa01OiM8TqyO8hE48SdMFFjcbUQu8TGBaKFNdGYNn8mB yyHBn2lxmUyJR1U6LSHb4MIlvUCJDad6pPQIgmwY+2/ZRgfOdy8fPCPU/dmXaDDebn6E N9nlKHOGudGlDfgJ7cFtHHHDUpMAmSoCKJuRMkW02wbv65nWwqv6shfZyMPTB3Rwbp2P 5Czg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=amq2vLA7DMoKklg0xa/eQNbk5g2zBUgoJrk2yd2QWmU=; b=G4FLFoBcQUs/9GLoRjqbYT1q3dIsEVio5nNWtY1khJevT9AFN9y8pk0bhGnomsDAqc wAOCEMmiP8Nme7yU6LuidGqyOfw5Wd5eRcbn1bLkj2mf1R97iv6yo6UlIPN1k95sqtDF EiUjwXqUbwtsEQg2SCqY9BROfvX+13gMhD9hKez4rZcGJVouZx5tIVCzL6YsBhdbqUA+ 9YXV3FhF+iQGrZLxhttKZ787HTRecmE89acsBhoXdkgZLl9KEHqiE3zv8Qpl7OxEQ0Lg Su2I9+URs7DV3HpXxfPnVgtkA/ibPCdRYQgcU0NjAn9+qkutnd3kUOfOMuxu8ulZYynh UghA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m16-v6si1559008pls.471.2018.02.28.08.50.39; Wed, 28 Feb 2018 08:50:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932386AbeB1Qtr (ORCPT + 99 others); Wed, 28 Feb 2018 11:49:47 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34573 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933999AbeB1P6k (ORCPT ); Wed, 28 Feb 2018 10:58:40 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yl-0006kw-B0; Wed, 28 Feb 2018 15:22:23 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yf-0008Tu-DW; Wed, 28 Feb 2018 15:22:17 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Ben Hutchings" , "Charles Keepax" , "Mark Brown" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 080/254] ASoC: wm_adsp: Fix validation of firmware and coeff lengths In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings commit 50dd2ea8ef67a1617e0c0658bcbec4b9fb03b936 upstream. The checks for whether another region/block header could be present are subtracting the size from the current offset. Obviously we should instead subtract the offset from the size. The checks for whether the region/block data fit in the file are adding the data size to the current offset and header size, without checking for integer overflow. Rearrange these so that overflow is impossible. Signed-off-by: Ben Hutchings Acked-by: Charles Keepax Tested-by: Charles Keepax Signed-off-by: Mark Brown [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- sound/soc/codecs/wm_adsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/sound/soc/codecs/wm_adsp.c +++ b/sound/soc/codecs/wm_adsp.c @@ -622,7 +622,7 @@ static int wm_adsp_load(struct wm_adsp * le64_to_cpu(footer->timestamp)); while (pos < firmware->size && - pos - firmware->size > sizeof(*region)) { + sizeof(*region) < firmware->size - pos) { region = (void *)&(firmware->data[pos]); region_name = "Unknown"; reg = 0; @@ -677,8 +677,8 @@ static int wm_adsp_load(struct wm_adsp * regions, le32_to_cpu(region->len), offset, region_name); - if ((pos + le32_to_cpu(region->len) + sizeof(*region)) > - firmware->size) { + if (le32_to_cpu(region->len) > + firmware->size - pos - sizeof(*region)) { adsp_err(dsp, "%s.%d: %s region len %d bytes exceeds file length %zu\n", file, regions, region_name, @@ -1248,7 +1248,7 @@ static int wm_adsp_load_coeff(struct wm_ blocks = 0; while (pos < firmware->size && - pos - firmware->size > sizeof(*blk)) { + sizeof(*blk) < firmware->size - pos) { blk = (void*)(&firmware->data[pos]); type = le16_to_cpu(blk->type); @@ -1328,8 +1328,8 @@ static int wm_adsp_load_coeff(struct wm_ } if (reg) { - if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) > - firmware->size) { + if (le32_to_cpu(blk->len) > + firmware->size - pos - sizeof(*blk)) { adsp_err(dsp, "%s.%d: %s region len %d bytes exceeds file length %zu\n", file, blocks, region_name,