12 Dec
2018
12 Dec
'18
12:23 p.m.
On Tue, 11 Dec 2018 22:23:13 +0100, Pierre-Louis Bossart wrote:
+/* generic module parser for mmaped DSPs */ +int snd_sof_parse_module_memcpy(struct snd_sof_dev *sdev,
struct snd_sof_mod_hdr *module)+{
- struct snd_sof_blk_hdr *block;
- int count;
- u32 offset;
- dev_dbg(sdev->dev, "new module size 0x%x blocks 0x%x type 0x%x\n",
module->size, module->num_blocks, module->type);- block = (void *)module + sizeof(*module);
- for (count = 0; count < module->num_blocks; count++) {
Need a sanity check that it won't go beyond the actual firmware size. User may pass a malicious module data, e.g. with extra large num_blocks.
if (block->size == 0) {dev_warn(sdev->dev,"warning: block %d size zero\n", count);dev_warn(sdev->dev, " type 0x%x offset 0x%x\n",block->type, block->offset);continue;}switch (block->type) {case SOF_BLK_IMAGE:case SOF_BLK_CACHE:case SOF_BLK_REGS:case SOF_BLK_SIG:case SOF_BLK_ROM:continue; /* not handled atm */case SOF_BLK_TEXT:case SOF_BLK_DATA:offset = block->offset;break;default:dev_err(sdev->dev, "error: bad type 0x%x for block 0x%x\n",block->type, count);return -EINVAL;}dev_dbg(sdev->dev,"block %d type 0x%x size 0x%x ==> offset 0x%x\n",count, block->type, block->size, offset);snd_sof_dsp_block_write(sdev, offset,(void *)block + sizeof(*block),block->size);/* next block */block = (void *)block + sizeof(*block) + block->size;
This may lead to an unaligned access. Also how is the endianess guaranteed?
thanks,
Takashi