Message ID | 20210107232526.716989-1-bjorn.andersson@linaro.org |
---|---|
State | Accepted |
Commit | 0648c55e3a21ccd816e99b6600d6199fbf39d23a |
Headers | show |
Series | soc: qcom: mdt_loader: Detect truncated read of segments | expand |
Hey Bjorn, Thanks for the patch! On 1/8/21 4:55 AM, Bjorn Andersson wrote: > Given that no validation of how much data the firmware loader read in > for a given segment truncated segment files would best case result in a > hash verification failure, without any indication of what went wrong. > > Improve this by validating that the firmware loader did return the > amount of data requested. > > Fixes: 445c2410a449 ("soc: qcom: mdt_loader: Use request_firmware_into_buf()") > Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> > --- > drivers/soc/qcom/mdt_loader.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c > index 24cd193dec55..e01d18e9ad2b 100644 > --- a/drivers/soc/qcom/mdt_loader.c > +++ b/drivers/soc/qcom/mdt_loader.c > @@ -253,6 +253,14 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw, > break; > } > > + if (seg_fw->size != phdr->p_filesz) { > + dev_err(dev, > + "failed to load segment %d from truncated file %s\n", > + i, fw_name); > + ret = -EINVAL; > + break; seg_fw has to be released on error condition as well. With ^^ fixed you can have my R-b. Reviewed-by: Sibi Sankar <sibis@codeaurora.org> > + } > + > release_firmware(seg_fw); > } > > -- Qualcomm Innovation Center, Inc. Qualcomm Innovation Center, Inc, is a member of Code Aurora Forum, a Linux Foundation Collaborative Project
diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c index 24cd193dec55..e01d18e9ad2b 100644 --- a/drivers/soc/qcom/mdt_loader.c +++ b/drivers/soc/qcom/mdt_loader.c @@ -253,6 +253,14 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw, break; } + if (seg_fw->size != phdr->p_filesz) { + dev_err(dev, + "failed to load segment %d from truncated file %s\n", + i, fw_name); + ret = -EINVAL; + break; + } + release_firmware(seg_fw); }
Given that no validation of how much data the firmware loader read in for a given segment truncated segment files would best case result in a hash verification failure, without any indication of what went wrong. Improve this by validating that the firmware loader did return the amount of data requested. Fixes: 445c2410a449 ("soc: qcom: mdt_loader: Use request_firmware_into_buf()") Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> --- drivers/soc/qcom/mdt_loader.c | 8 ++++++++ 1 file changed, 8 insertions(+) -- 2.29.2