linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [v2 PATCH] ASoC: max98390: Fix potential crash during param fw loading
@ 2020-06-04  5:47 Steve Lee
  2020-06-04 14:07 ` Mark Brown
  0 siblings, 1 reply; 2+ messages in thread
From: Steve Lee @ 2020-06-04  5:47 UTC (permalink / raw)
  To: lgirdwood, broonie, perex, tiwai, ckeepax, geert, rf, shumingf,
	srinivas.kandagatla, krzk, dmurphy, jack.yu, nuno.sa, steves.lee,
	linux-kernel, alsa-devel
  Cc: ryan.lee.maxim, ryans.lee, steves.lee.maxim

 malformed firmware file can cause out-of-bound access and crash
 during dsm_param bin loading.
  - add MIN/MAX param size to avoid out-of-bound access.
  - read start addr and size of param and check bound.
  - add condition that fw->size > param_size + _PAYLOAD_OFFSET
    to confirm enough data.

Signed-off-by: Steve Lee <steves.lee@maximintegrated.com>
---

Change log v2:
	* add condtion that param_size + _PAYLOAD_OFFSET is less than fw->size
	  to confirm enough data
	* remove unintended code

 sound/soc/codecs/max98390.c | 24 ++++++++++++++++++++----
 sound/soc/codecs/max98390.h |  3 ++-
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/sound/soc/codecs/max98390.c b/sound/soc/codecs/max98390.c
index be7cd0aeb6a6..0d63ebfbff2f 100644
--- a/sound/soc/codecs/max98390.c
+++ b/sound/soc/codecs/max98390.c
@@ -754,6 +754,7 @@ static struct snd_soc_dai_driver max98390_dai[] = {
 static int max98390_dsm_init(struct snd_soc_component *component)
 {
 	int ret;
+	int param_size, param_start_addr;
 	char filename[128];
 	const char *vendor, *product;
 	struct max98390_priv *max98390 =
@@ -780,14 +781,29 @@ static int max98390_dsm_init(struct snd_soc_component *component)
 	dev_dbg(component->dev,
 		"max98390: param fw size %zd\n",
 		fw->size);
+	if (fw->size < MAX98390_DSM_PARAM_MIN_SIZE) {
+		dev_err(component->dev,
+			"param fw is invalid.\n");
+		goto err_alloc;
+	}
 	dsm_param = (char *)fw->data;
+	param_start_addr = (dsm_param[0] & 0xff) | (dsm_param[1] & 0xff) << 8;
+	param_size = (dsm_param[2] & 0xff) | (dsm_param[3] & 0xff) << 8;
+	if (param_size > MAX98390_DSM_PARAM_MAX_SIZE ||
+		param_start_addr < DSM_STBASS_HPF_B0_BYTE0 ||
+		fw->size < param_size + MAX98390_DSM_PAYLOAD_OFFSET) {
+		dev_err(component->dev,
+			"param fw is invalid.\n");
+		goto err_alloc;
+	}
+	regmap_write(max98390->regmap, MAX98390_R203A_AMP_EN, 0x80);
 	dsm_param += MAX98390_DSM_PAYLOAD_OFFSET;
-	regmap_bulk_write(max98390->regmap, DSM_EQ_BQ1_B0_BYTE0,
-		dsm_param,
-		fw->size - MAX98390_DSM_PAYLOAD_OFFSET);
-	release_firmware(fw);
+	regmap_bulk_write(max98390->regmap, param_start_addr,
+		dsm_param, param_size);
 	regmap_write(max98390->regmap, MAX98390_R23E1_DSP_GLOBAL_EN, 0x01);
 
+err_alloc:
+	release_firmware(fw);
 err:
 	return ret;
 }
diff --git a/sound/soc/codecs/max98390.h b/sound/soc/codecs/max98390.h
index f59cb114d957..5f444e7779b0 100644
--- a/sound/soc/codecs/max98390.h
+++ b/sound/soc/codecs/max98390.h
@@ -650,7 +650,8 @@
 
 /* DSM register offset */
 #define MAX98390_DSM_PAYLOAD_OFFSET 16
-#define MAX98390_DSM_PAYLOAD_OFFSET_2 495
+#define MAX98390_DSM_PARAM_MAX_SIZE 770
+#define MAX98390_DSM_PARAM_MIN_SIZE 670
 
 struct max98390_priv {
 	struct regmap *regmap;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [v2 PATCH] ASoC: max98390: Fix potential crash during param fw loading
  2020-06-04  5:47 [v2 PATCH] ASoC: max98390: Fix potential crash during param fw loading Steve Lee
@ 2020-06-04 14:07 ` Mark Brown
  0 siblings, 0 replies; 2+ messages in thread
From: Mark Brown @ 2020-06-04 14:07 UTC (permalink / raw)
  To: perex, alsa-devel, ckeepax, Steve Lee, nuno.sa, rf, geert,
	shumingf, linux-kernel, tiwai, krzk, jack.yu, dmurphy, lgirdwood,
	srinivas.kandagatla
  Cc: ryan.lee.maxim, steves.lee.maxim, ryans.lee

On Thu, 4 Jun 2020 14:47:31 +0900, Steve Lee wrote:
>  malformed firmware file can cause out-of-bound access and crash
>  during dsm_param bin loading.
>   - add MIN/MAX param size to avoid out-of-bound access.
>   - read start addr and size of param and check bound.
>   - add condition that fw->size > param_size + _PAYLOAD_OFFSET
>     to confirm enough data.

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: max98390: Fix potential crash during param fw loading
      commit: 97ed3e509ee6d098730d137759c627a8d674cf55

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-06-04 14:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-04  5:47 [v2 PATCH] ASoC: max98390: Fix potential crash during param fw loading Steve Lee
2020-06-04 14:07 ` Mark Brown

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).