On Thu, Sep 08, 2022 at 05:42:54PM +0800, Herbert Xu wrote:
> On Thu, Sep 01, 2022 at 06:32:53PM +0300, Dan Carpenter wrote:
> >
> > @@ -263,7 +264,13 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
> > ucode = (struct ucode_header *)fw_entry->data;
> > mcode = &cpt->mcode[cpt->next_mc_idx];
> > memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ);
> > - mcode->code_size = ntohl(ucode->code_length) * 2;
> > +
> > + code_length = ntohl(ucode->code_length);
> > + if (code_length >= INT_MAX / 2) {
> > + ret = -EINVAL;
> > + goto fw_release;
> > + }
> > + mcode->code_size = code_length;
>
> Where did the "* 2" go?
Crud. :/ Sorry.
>
> BTW, what is the threat model here? If the firmware metadata can't
> be trusted, shouldn't we be capping the firmware size at a level
> a lot lower than INT_MAX?
This is not firmware metadata, I'm fairly sure the fw_entry->data is raw
data from the file system. Realistically, if you can't trust your
firmware then you are probably toasted but there is a move to trust as
little as possible. Also Smatch marks data from the file system as
untrusted so it will generate static checker warnings.
regards,
dan carpenter
