On Tue, Jun 02, 2020 at 06:42:25PM +0200, Takashi Iwai wrote:
But, looking more at the code around that line, I could spot many other bugs. You cannot trust the firmware file and you must check the size. The current code can trigger out-of-bound accesses and crash very easily when a malformed firmware file is tossed; e.g. just put an empty file (or a huge file) as dsm_param.bin.
Yeah, it's not great - the potential impact is limited by regmap which will bounds check attempts to write beyond the last register (though now I look again we're using unsigned values so we should definitely be limiting the lower size) but it would be better to limit it to just the registers that should be being configured. Possibly even just to one valid file length if it's always all the same registers being configured.
Steve?