On Thu, Sep 01, 2022 at 06:32:09PM +0300, Dan Carpenter wrote:
>
> @@ -303,7 +304,13 @@ static int process_tar_file(struct device *dev,
> if (get_ucode_type(ucode_hdr, &ucode_type))
> return 0;
>
> - ucode_size = ntohl(ucode_hdr->code_length) * 2;
> + code_length = ntohl(ucode_hdr->code_length);
> + if (code_length >= INT_MAX / 2) {
> + dev_err(dev, "Invalid code_length %u\n", code_length);
> + return -EINVAL;
> + }
> +
> + ucode_size = code_length * 2;
> if (!ucode_size || (size < round_up(ucode_size, 16) +
> sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) {
> dev_err(dev, "Ucode %s invalid size\n", filename);
How come you didn't add a "ucode_size > size" check like you did
below?
> @@ -896,9 +904,16 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode,
> ucode_hdr = (struct otx_cpt_ucode_hdr *) fw->data;
> memcpy(ucode->ver_str, ucode_hdr->ver_str, OTX_CPT_UCODE_VER_STR_SZ);
> ucode->ver_num = ucode_hdr->ver_num;
> - ucode->size = ntohl(ucode_hdr->code_length) * 2;
> - if (!ucode->size || (fw->size < round_up(ucode->size, 16)
> - + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) {
> + code_length = ntohl(ucode_hdr->code_length);
> + if (code_length >= INT_MAX / 2) {
> + ret = -EINVAL;
> + goto release_fw;
> + }
> + ucode->size = code_length * 2;
> + if (!ucode->size ||
> + ucode->size > fw->size ||
> + (fw->size < round_up(ucode->size, 16) +
> + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) {
> dev_err(dev, "Ucode %s invalid size\n", ucode_filename);
> ret = -EINVAL;
> goto release_fw;
> --
> 2.35.1
Thanks,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
