Commit 3fb43a7a authored by Ian Abbott's avatar Ian Abbott Committed by Greg Kroah-Hartman
Browse files

comedi: me4000: Fix potential overrun of firmware buffer 



`me4000_xilinx_download()` loads the firmware that was requested by
`request_firmware()`.  It is possible for it to overrun the source
buffer because it blindly trusts the file format.  It reads a data
stream length from the first 4 bytes into variable `file_length` and
reads the data stream contents of length `file_length` from offset 16
onwards.

Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream.  On failure, log an error and
return `-EINVAL`.

Note: The firmware loading was totally broken before commit ac584af5
("staging: comedi: me4000: fix firmware downloading"), but that is the
most sensible target for this fix.

Fixes: ac584af5 ("staging: comedi: me4000: fix firmware downloading")
Cc: stable <stable@kernel.org>
Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260205133949.71722-1-abbotti@mev.co.uk


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 101ab946

drivers/comedi/drivers/me4000.c

+12 −4
Original line number Diff line number Diff line
@@ -315,6 +315,18 @@ static int me4000_xilinx_download(struct comedi_device *dev, 
	unsigned int val;

	unsigned int i;



	/* Get data stream length from header. */

	if (size >= 4) {

		file_length = (((unsigned int)data[0] & 0xff) << 24) +

			      (((unsigned int)data[1] & 0xff) << 16) +

			      (((unsigned int)data[2] & 0xff) << 8) +

			      ((unsigned int)data[3] & 0xff);

	}

	if (size < 16 || file_length > size - 16) {

		dev_err(dev->class_dev, "Firmware length inconsistency\n");

		return -EINVAL;

	}



	if (!xilinx_iobase)

		return -ENODEV;
@@ -346,10 +358,6 @@ static int me4000_xilinx_download(struct comedi_device *dev, 
	outl(val, devpriv->plx_regbase + PLX9052_CNTRL);



	/* Download Xilinx firmware */

	file_length = (((unsigned int)data[0] & 0xff) << 24) +

		      (((unsigned int)data[1] & 0xff) << 16) +

		      (((unsigned int)data[2] & 0xff) << 8) +

		      ((unsigned int)data[3] & 0xff);

	usleep_range(10, 1000);



	for (i = 0; i < file_length; i++) {