Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8f256045 authored by David Collins's avatar David Collins
Browse files

bif: bif-core: do not read past the end of NVM when parsing BIF objects 



Add a length check in the non-volatile memory (NVM) BIF object
parsing function so that it does not attempt to read past the
end of the NVM address space of the BIF slave.

Change-Id: Iafd40e61e7ca0bfa2e2be95c294a0e17d5cf515c
Signed-off-by: default avatarDavid Collins <collinsd@codeaurora.org>
parent 7a569dc7

drivers/bif/bif-core.c

+10 −6
Original line number Diff line number Diff line
@@ -2089,7 +2089,7 @@ static int bif_initialize_nvm_function(struct bif_slave_dev *sdev, 
		struct bif_ddb_l2_data *func)

{

	int rc = 0;

	int data_len;

	int data_len, read_size;

	u8 buf[8], object_type;

	struct bif_object *object;

	struct bif_object *temp;
@@ -2135,8 +2135,7 @@ static int bif_initialize_nvm_function(struct bif_slave_dev *sdev, 
		return rc;

	}



	/* Object type == 0x00 corresponds to the end of the object list. */

	while (object_type != 0x00) {

	while (object_type != BIF_OBJ_END_OF_LIST) {

		object = kzalloc(sizeof(*object), GFP_KERNEL);

		if (!object) {

			pr_err("out of memory\n");
@@ -2188,15 +2187,20 @@ static int bif_initialize_nvm_function(struct bif_slave_dev *sdev, 
			goto free_data;

		}



		rc = _bif_slave_read(sdev, addr + 6 + data_len, buf, 3);

		if ((object->length + addr) >= (sdev->nvm_function->nvm_size

				+ sdev->nvm_function->nvm_base_address))

			read_size = 2;

		else

			read_size = 3;

		rc = _bif_slave_read(sdev, addr + 6 + data_len, buf, read_size);

		if (rc) {

			pr_err("Slave memory read of object CRC failed; addr=0x%04X, len=%d, rc=%d\n",

				addr + 6 + data_len, 3, rc);

				addr + 6 + data_len, read_size, rc);

			goto free_data;

		}



		object->crc = buf[0] << 8 | buf[1];

		object_type = buf[2];

		object_type = (read_size == 3) ? buf[2] : BIF_OBJ_END_OF_LIST;

		sdev->nvm_function->object_count++;



		crc = bif_object_crc_ccitt(object);