On Tue, 11 Dec 2018 22:23:13 +0100,
Pierre-Louis Bossart wrote:
>
> +/* generic module parser for mmaped DSPs */
> +int snd_sof_parse_module_memcpy(struct snd_sof_dev *sdev,
> + struct snd_sof_mod_hdr *module)
> +{
> + struct snd_sof_blk_hdr *block;
> + int count;
> + u32 offset;
> +
> + dev_dbg(sdev->dev, "new module size 0x%x blocks 0x%x type 0x%x\n",
> + module->size, module->num_blocks, module->type);
> +
> + block = (void *)module + sizeof(*module);
> +
> + for (count = 0; count < module->num_blocks; count++) {
Need a sanity check that it won't go beyond the actual firmware size.
User may pass a malicious module data, e.g. with extra large
num_blocks.
> + if (block->size == 0) {
> + dev_warn(sdev->dev,
> + "warning: block %d size zero\n", count);
> + dev_warn(sdev->dev, " type 0x%x offset 0x%x\n",
> + block->type, block->offset);
> + continue;
> + }
> +
> + switch (block->type) {
> + case SOF_BLK_IMAGE:
> + case SOF_BLK_CACHE:
> + case SOF_BLK_REGS:
> + case SOF_BLK_SIG:
> + case SOF_BLK_ROM:
> + continue; /* not handled atm */
> + case SOF_BLK_TEXT:
> + case SOF_BLK_DATA:
> + offset = block->offset;
> + break;
> + default:
> + dev_err(sdev->dev, "error: bad type 0x%x for block 0x%x\n",
> + block->type, count);
> + return -EINVAL;
> + }
> +
> + dev_dbg(sdev->dev,
> + "block %d type 0x%x size 0x%x ==> offset 0x%x\n",
> + count, block->type, block->size, offset);
> +
> + snd_sof_dsp_block_write(sdev, offset,
> + (void *)block + sizeof(*block),
> + block->size);
> +
> + /* next block */
> + block = (void *)block + sizeof(*block) + block->size;
This may lead to an unaligned access.
Also how is the endianess guaranteed?
thanks,
Takashi
_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
