| Message ID | 3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | ihex: add some bounds checking to firmware parsing | expand |
On 5/28/25 13:22, Dan Carpenter wrote: > The "rec->len" value comes from the firmware. We generally do > trust firmware, but it's always better to double check. If > the length value is too large it would lead to memory corruption > when we set "data[i] = ret;" > > Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Guenetr Roeck <linux@roeck-us.net> > --- > drivers/watchdog/ziirave_wdt.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c > index fcc1ba02e75b..5c6e3fa001d8 100644 > --- a/drivers/watchdog/ziirave_wdt.c > +++ b/drivers/watchdog/ziirave_wdt.c > @@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd, > const u16 len = be16_to_cpu(rec->len); > const u32 addr = be32_to_cpu(rec->addr); > > + if (len > sizeof(data)) > + return -EINVAL; > + > if (ziirave_firm_addr_readonly(addr)) > continue; >
diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c index fcc1ba02e75b..5c6e3fa001d8 100644 --- a/drivers/watchdog/ziirave_wdt.c +++ b/drivers/watchdog/ziirave_wdt.c @@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd, const u16 len = be16_to_cpu(rec->len); const u32 addr = be32_to_cpu(rec->addr); + if (len > sizeof(data)) + return -EINVAL; + if (ziirave_firm_addr_readonly(addr)) continue;
The "rec->len" value comes from the firmware. We generally do trust firmware, but it's always better to double check. If the length value is too large it would lead to memory corruption when we set "data[i] = ret;" Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/watchdog/ziirave_wdt.c | 3 +++ 1 file changed, 3 insertions(+)