diff options
| author | Niranjan H Y <niranjan.hy@ti.com> | 2025-10-30 20:46:37 +0530 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2025-11-06 13:12:34 +0000 |
| commit | 84f5526e4dce0a44d050ceb1b1bf21d43016d91b (patch) | |
| tree | 2c4a3d77ddce4df45d93659a2d8e5ac4e99be971 /sound/soc | |
| parent | 1a58d865f423f4339edf59053e496089075fa950 (diff) | |
| download | linux-84f5526e4dce0a44d050ceb1b1bf21d43016d91b.tar.gz linux-84f5526e4dce0a44d050ceb1b1bf21d43016d91b.tar.bz2 linux-84f5526e4dce0a44d050ceb1b1bf21d43016d91b.zip | |
ASoC: tas2783A: Fix issues in firmware parsing
During firmware download, if the size of the firmware is too small,
it wrongly assumes the firmware download is successful. If there is
size mismatch with chunk's header, invalid memory is accessed.
Fix these issues by throwing error during these cases.
Fixes: 4cc9bd8d7b32 (ASoc: tas2783A: Add soundwire based codec driver)
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202510291226.2R3fbYNh-lkp@intel.com/
Signed-off-by: Niranjan H Y <niranjan.hy@ti.com>
Link: https://patch.msgid.link/20251030151637.566-1-niranjan.hy@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'sound/soc')
| -rw-r--r-- | sound/soc/codecs/tas2783-sdw.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/sound/soc/codecs/tas2783-sdw.c b/sound/soc/codecs/tas2783-sdw.c index 1fb4227b711e..e273b80d033e 100644 --- a/sound/soc/codecs/tas2783-sdw.c +++ b/sound/soc/codecs/tas2783-sdw.c @@ -762,10 +762,17 @@ static void tas2783_fw_ready(const struct firmware *fmw, void *context) goto out; } - mutex_lock(&tas_dev->pde_lock); img_sz = fmw->size; buf = fmw->data; offset += FW_DL_OFFSET; + if (offset >= (img_sz - FW_FL_HDR)) { + dev_err(tas_dev->dev, + "firmware is too small"); + ret = -EINVAL; + goto out; + } + + mutex_lock(&tas_dev->pde_lock); while (offset < (img_sz - FW_FL_HDR)) { memset(&hdr, 0, sizeof(hdr)); offset += read_header(&buf[offset], &hdr); @@ -776,6 +783,14 @@ static void tas2783_fw_ready(const struct firmware *fmw, void *context) /* size also includes the header */ file_blk_size = hdr.length - FW_FL_HDR; + /* make sure that enough data is there */ + if (offset + file_blk_size > img_sz) { + ret = -EINVAL; + dev_err(tas_dev->dev, + "corrupt firmware file"); + break; + } + switch (hdr.file_id) { case 0: ret = sdw_nwrite_no_pm(tas_dev->sdw_peripheral, @@ -808,7 +823,8 @@ static void tas2783_fw_ready(const struct firmware *fmw, void *context) break; } mutex_unlock(&tas_dev->pde_lock); - tas2783_update_calibdata(tas_dev); + if (!ret) + tas2783_update_calibdata(tas_dev); out: if (!ret) |