firmware: Sigma: Prevent out of bounds memory access

The SigmaDSP firmware loader currently does not perform enough boundary size
checks when processing the firmware. As a result it is possible that a
malformed firmware can cause an out of bounds memory access.

This patch adds checks which ensure that both the action header and the payload
are completely inside the firmware data boundaries before processing them.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@kernel.org
This commit is contained in:
Lars-Peter Clausen
2011-11-28 09:44:14 +01:00
committed by Mark Brown
parent fc8e6e8668
commit 4f718a29fe
2 changed files with 56 additions and 27 deletions
-5
View File
@@ -50,11 +50,6 @@ static inline u32 sigma_action_len(struct sigma_action *sa)
return (sa->len_hi << 16) | sa->len;
}
static inline size_t sigma_action_size(struct sigma_action *sa, u32 payload_len)
{
return sizeof(*sa) + payload_len + (payload_len % 2);
}
extern int process_sigma_firmware(struct i2c_client *client, const char *name);
#endif