ASoC: max98390: Fix potential crash during param fw loading

malformed firmware file can cause out-of-bound access and crash during dsm_param bin loading. - add MIN/MAX param size to avoid out-of-bound access. - read start addr and size of param and check bound. - add condition that fw->size > param_size + _PAYLOAD_OFFSET to confirm enough data. Signed-off-by: Steve Lee <steves.lee@maximintegrated.com> Link: https://lore.kernel.org/r/20200604054731.21140-1-steves.lee@maximintegrated.comSigned-off-by: Mark Brown <broonie@kernel.org>

ASoC: max98390: Fix potential crash during param fw loading
malformed firmware file can cause out-of-bound access and crash during dsm_param bin loading. - add MIN/MAX param size to avoid out-of-bound access. - read start addr and size of param and check bound. - add condition that fw->size > param_size + _PAYLOAD_OFFSET to confirm enough data. Signed-off-by: Steve Lee <steves.lee@maximintegrated.com> Link: https://lore.kernel.org/r/20200604054731.21140-1-steves.lee@maximintegrated.comSigned-off-by: Mark Brown <broonie@kernel.org>
97ed3e50 · Steve Lee · Mark Brown · 678916ec · 97ed3e50 · 97ed3e50
Commit 97ed3e50 authored Jun 04, 2020 by Steve Lee Committed by Mark Brown Jun 04, 2020
Show whitespace changes
Inline Side-by-side

Showing with 22 additions and 5 deletions

sound/soc/codecs/max98390.c sound/soc/codecs/max98390.c +20 -4

sound/soc/codecs/max98390.h sound/soc/codecs/max98390.h +2 -1

No files found.
--- a/sound/soc/codecs/max98390.c
+++ b/sound/soc/codecs/max98390.c
@@ -754,6 +754,7 @@ static struct snd_soc_dai_driver max98390_dai[] = {
 static int max98390_dsm_init(struct snd_soc_component *component)
 {
 	int ret;
+	int param_size, param_start_addr;
 	char filename[128];
 	const char *vendor, *product;
 	struct max98390_priv *max98390 =
@@ -780,14 +781,29 @@ static int max98390_dsm_init(struct snd_soc_component *component)
 	dev_dbg(component->dev,
 		"max98390: param fw size %zd\n",
 		fw->size);
+	if (fw->size < MAX98390_DSM_PARAM_MIN_SIZE) {
+		dev_err(component->dev,
+			"param fw is invalid.\n");
+		goto err_alloc;
+	}
 	dsm_param = (char *)fw->data;
+	param_start_addr = (dsm_param[0] & 0xff) | (dsm_param[1] & 0xff) << 8;
+	param_size = (dsm_param[2] & 0xff) | (dsm_param[3] & 0xff) << 8;
+	if (param_size > MAX98390_DSM_PARAM_MAX_SIZE ||
+		param_start_addr < DSM_STBASS_HPF_B0_BYTE0 ||
+		fw->size < param_size + MAX98390_DSM_PAYLOAD_OFFSET) {
+		dev_err(component->dev,
+			"param fw is invalid.\n");
+		goto err_alloc;
+	}
+	regmap_write(max98390->regmap, MAX98390_R203A_AMP_EN, 0x80);
 	dsm_param += MAX98390_DSM_PAYLOAD_OFFSET;
-	regmap_bulk_write(max98390->regmap, DSM_EQ_BQ1_B0_BYTE0,
+	regmap_bulk_write(max98390->regmap, param_start_addr,
-		dsm_param,
+		dsm_param, param_size);
-		fw->size - MAX98390_DSM_PAYLOAD_OFFSET);
-	release_firmware(fw);
 	regmap_write(max98390->regmap, MAX98390_R23E1_DSP_GLOBAL_EN, 0x01);
+err_alloc:
+	release_firmware(fw);
 err:
 	return ret;
 }

--- a/sound/soc/codecs/max98390.h
+++ b/sound/soc/codecs/max98390.h
@@ -650,7 +650,8 @@
 /* DSM register offset */
 #define MAX98390_DSM_PAYLOAD_OFFSET 16
-#define MAX98390_DSM_PAYLOAD_OFFSET_2 495
+#define MAX98390_DSM_PARAM_MAX_SIZE 770
+#define MAX98390_DSM_PARAM_MIN_SIZE 670
 struct max98390_priv {
 	struct regmap *regmap;