On Thu, Sep 08, 2022 at 05:42:54PM +0800, Herbert Xu wrote: > On Thu, Sep 01, 2022 at 06:32:53PM +0300, Dan Carpenter wrote: > > > > @@ -263,7 +264,13 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae) > > ucode = (struct ucode_header *)fw_entry->data; > > mcode = &cpt->mcode[cpt->next_mc_idx]; > > memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ); > > - mcode->code_size = ntohl(ucode->code_length) * 2; > > + > > + code_length = ntohl(ucode->code_length); > > + if (code_length >= INT_MAX / 2) { > > + ret = -EINVAL; > > + goto fw_release; > > + } > > + mcode->code_size = code_length; > > Where did the "* 2" go? Crud. :/ Sorry. > > BTW, what is the threat model here? If the firmware metadata can't > be trusted, shouldn't we be capping the firmware size at a level > a lot lower than INT_MAX? This is not firmware metadata, I'm fairly sure the fw_entry->data is raw data from the file system. Realistically, if you can't trust your firmware then you are probably toasted but there is a move to trust as little as possible. Also Smatch marks data from the file system as untrusted so it will generate static checker warnings. regards, dan carpenter