Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp433711ybg; Wed, 3 Jun 2020 04:45:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzwHJRiqC6rbJcewuzWbiC8qGntuFy2omDhccQTAViq7CL8J6ZOO+8OVs//o1GzkL6v4bN0 X-Received: by 2002:aa7:cb53:: with SMTP id w19mr29677233edt.328.1591184717896; Wed, 03 Jun 2020 04:45:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591184717; cv=none; d=google.com; s=arc-20160816; b=c8irm8drBCDzvlSjNGxYpnwVxxf3zzSCGVdsDou+MN/n4z+6U/4zFYra9KkI4m6vLs cgWn3pMse79njQmX2xXqoIJgmbiDvqCNv3HotgBghmJSDLnyhvBTW9IUMpQ9qT3WYR64 rS/LvDVspxvCvVAwO73sjl4K2OZozX30EZ5ZmYnfUH88fivbXXzkbpXqefpdiscMHO0/ Nn2r3nM+6SbVm4UAL6Azk2fGnjQ4rKIOi/Rodt0RhbT9OVJNk9w3Kfwv3pClTYdLy1I7 l0743X70DqHEY4Dhoswt1f3PeNEERXBQ3ZzULEU5HiR8Sbp8Pa8Zo4ftsSmzJrrP2a+7 92cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=1dU3H44SoyMuo89FHEJDIDmMaMz66iWym4sJAEaO4sM=; b=1LlJ1kY2Yk5GvwYILs/bBYbPTluZpduaC85ehKK1kw53KbpNLxbhV7dZp161eOsl9O gz5jAEaMxed06Q1U5A8GCdAJaJhhawkvA6EosG8rSubU/q8+smwVK+AOiexALssmdgyp EQbqBZXjugZ/DVa1Cxs/koPxq1dPAjIlGahLg4R2HoaEyDV9vUle5uBu4y8TOhN64s7l tsDq34fUos3QeRSrk5Kq4XiCOnHV3kSiiLIpdaeh7WuurAkv9LM/alb/Gh2YaGzAtXc5 ouZtuZD8pbbdiMgOC4/o0RVrTDavJP9j+KMV9Hv6g7AwtMMZYsGnaub3OLF8XlWyhXwy wfrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jsCZ6tqK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gl21si974334ejb.739.2020.06.03.04.44.55; Wed, 03 Jun 2020 04:45:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jsCZ6tqK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726138AbgFCLmp (ORCPT + 99 others); Wed, 3 Jun 2020 07:42:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:42338 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725854AbgFCLmo (ORCPT ); Wed, 3 Jun 2020 07:42:44 -0400 Received: from localhost (fw-tnat.cambridge.arm.com [217.140.96.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3CB0020738; Wed, 3 Jun 2020 11:42:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591184563; bh=TIfw/cANrvleb6jHvANTUGWscgbEhvD0pcSy7/RQYAM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=jsCZ6tqKbRWecCFSn/LSHN1jRnCENNTbqogGNkeSCseQG0/CEOEwI2jJlEeB0HISW s4vQFI5lnW+0BBE86acH6ViTn2LnaqLi6qnVBmEuVhweUuBCIyQCJNL1XRznU0wji/ 99vYDogaIDn1m5CJAww0lubymqby2iDYMDdlmMj8= Date: Wed, 3 Jun 2020 12:42:41 +0100 From: Mark Brown To: Steve Lee Cc: "lgirdwood@gmail.com" , "perex@perex.cz" , "tiwai@suse.com" , "ckeepax@opensource.cirrus.com" , "geert@linux-m68k.org" , "rf@opensource.wolfsonmicro.com" , "shumingf@realtek.com" , "srinivas.kandagatla@linaro.org" , "krzk@kernel.org" , "dmurphy@ti.com" , "jack.yu@realtek.com" , "nuno.sa@analog.com" , "linux-kernel@vger.kernel.org" , "alsa-devel@alsa-project.org" , "ryan.lee.maxim@gmail.com" , Ryan Lee , "steves.lee.maxim@gmail.com" Subject: Re: [PATCH] ASoC: max98390: Fix potential crash during param fw loading Message-ID: <20200603114241.GD5327@sirena.org.uk> References: <20200603111819.5824-1-steves.lee@maximintegrated.com> <20200603113145.GC5327@sirena.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="TybLhxa8M7aNoW+V" Content-Disposition: inline In-Reply-To: X-Cookie: Your supervisor is thinking about you. User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --TybLhxa8M7aNoW+V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jun 03, 2020 at 11:37:44AM +0000, Steve Lee wrote: > > This is now reading the size out of the header of the file which is good but it > > should also validate that the file is big enough to have this much data in it, > > otherwise it's possible to read beyond the end of the firmware file (eg, if it got > > truncated somehow). Previously the code used the size of the file read from disk > > so that wasn't an issue. > Thanks for quick comment. Can this case cover by below line? > + if (fw->size < MAX98390_DSM_PARAM_MIN_SIZE) { > + dev_err(component->dev, > + "param fw is invalid.\n"); > + goto err_alloc; > + } No, that doesn't cover all of it - the case I'm concerned about is the case where we've got enough data for the header but the payload is truncated. You need a check that param_size + _PAYLOAD_OFFSET is less than fw->size as well. --TybLhxa8M7aNoW+V Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEyBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl7XjLAACgkQJNaLcl1U h9CS4gf3SoiQPyfuvGkPPhzguKoHriVvRp+AFejSxVitcpSHlK+guzMZ7TbsUahq mT9724QlmWXhv3pWStaiWn5BblXL1cw/jLwbWOB9g6J0JoH21c8LsfnaUe1ez9Lm xfwqJWF6TXjUIU/EVTsB8U1Ic0Sedxz/+QwDUkkxGNKy9JjfB4BhFsci7v4x0nz4 euUPfTgLFjm9iDUkZeNWkz35EPGmcBTW7PcC+uWTw6WTPamU8ilUzFWvJHJ988WL FdesETMKsTr06Yr1q8raecZPBmeRcQqpdBYiE8Q9JyC/gGRGXlOpC4V8/zTrMzg4 q0nSFTDhbYsZwNROBUbavgArgCVK =FYh1 -----END PGP SIGNATURE----- --TybLhxa8M7aNoW+V--