Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3de9978f authored by Srinivasarao Pathipati's avatar Srinivasarao Pathipati
Browse files

soc: qcom: mdt_loader: add bound checks for headers 



Add checks to ensure that ehdr's size not more than fw->size.

Change-Id: Ia17558dfff783dc900ac67475019929ac95fe53b
Signed-off-by: default avatarSrinivasarao Pathipati <quic_c_spathi@quicinc.com>
parent 4421fcf0

drivers/soc/qcom/mdt_loader.c

+7 −1
Original line number Diff line number Diff line
@@ -92,10 +92,16 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len) 
	size_t ehdr_size;

	void *data;



	if (fw->size < sizeof(struct elf32_hdr)) {

		dev_err(dev, "Image is too small\n");

		return ERR_PTR(-EINVAL);

	}



	ehdr = (struct elf32_hdr *)fw->data;

	phdrs = (struct elf32_phdr *)(ehdr + 1);



	if (ehdr->e_phnum < 2 || ehdr->e_phnum > PN_XNUM)

	if (ehdr->e_phnum < 2 || ehdr->e_phoff > fw->size ||

	    (sizeof(phdrs) * ehdr->e_phnum > fw->size - ehdr->e_phoff))

		return ERR_PTR(-EINVAL);



	if (phdrs[0].p_type == PT_LOAD)