tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ASoC: tas2783A: Fix issues in firmware parsing

During firmware download, if the size of the firmware is too small,
it wrongly assumes the firmware download is successful. If there is
size mismatch with chunk's header, invalid memory is accessed.
Fix these issues by throwing error during these cases.

Fixes: 4cc9bd8d7b32 (ASoc: tas2783A: Add soundwire based codec driver)
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202510291226.2R3fbYNh-lkp@intel.com/
Signed-off-by: Niranjan H Y <niranjan.hy@ti.com>
Link: https://patch.msgid.link/20251030151637.566-1-niranjan.hy@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>

authored by

Niranjan H Y and committed by
Mark Brown 84f5526e 1a58d865

+18 -2
+18 -2
sound/soc/codecs/tas2783-sdw.c
··· 762 762 goto out; 763 763 } 764 764 765 - mutex_lock(&tas_dev->pde_lock); 766 765 img_sz = fmw->size; 767 766 buf = fmw->data; 768 767 offset += FW_DL_OFFSET; 768 + if (offset >= (img_sz - FW_FL_HDR)) { 769 + dev_err(tas_dev->dev, 770 + "firmware is too small"); 771 + ret = -EINVAL; 772 + goto out; 773 + } 774 + 775 + mutex_lock(&tas_dev->pde_lock); 769 776 while (offset < (img_sz - FW_FL_HDR)) { 770 777 memset(&hdr, 0, sizeof(hdr)); 771 778 offset += read_header(&buf[offset], &hdr); ··· 782 775 hdr.length, offset); 783 776 /* size also includes the header */ 784 777 file_blk_size = hdr.length - FW_FL_HDR; 778 + 779 + /* make sure that enough data is there */ 780 + if (offset + file_blk_size > img_sz) { 781 + ret = -EINVAL; 782 + dev_err(tas_dev->dev, 783 + "corrupt firmware file"); 784 + break; 785 + } 785 786 786 787 switch (hdr.file_id) { 787 788 case 0: ··· 823 808 break; 824 809 } 825 810 mutex_unlock(&tas_dev->pde_lock); 826 - tas2783_update_calibdata(tas_dev); 811 + if (!ret) 812 + tas2783_update_calibdata(tas_dev); 827 813 828 814 out: 829 815 if (!ret)