tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Input: ims-pcu - check record size in ims_pcu_flash_firmware()

The "len" variable comes from the firmware and we generally do
trust firmware, but it's always better to double check. If the "len"
is too large it could result in memory corruption when we do
"memcpy(fragment->data, rec->data, len);"

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/131fd1ae92c828ee9f4fa2de03d8c210ae1f3524.1748463049.git.dan.carpenter@linaro.org
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

authored by

Dan Carpenter and committed by
Dmitry Torokhov a95ef019 8f38219f

+6
+6
drivers/input/misc/ims-pcu.c
··· 844 844 addr = be32_to_cpu(rec->addr) / 2; 845 845 len = be16_to_cpu(rec->len); 846 846 847 + if (len > sizeof(pcu->cmd_buf) - 1 - sizeof(*fragment)) { 848 + dev_err(pcu->dev, 849 + "Invalid record length in firmware: %d\n", len); 850 + return -EINVAL; 851 + } 852 + 847 853 fragment = (void *)&pcu->cmd_buf[1]; 848 854 put_unaligned_le32(addr, &fragment->addr); 849 855 fragment->len = len;