Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 45181714 authored by Kaushal Kumar's avatar Kaushal Kumar Committed by Gerrit - the friendly Code Review server
Browse files

soc: qcom: pil: Avoid possible buffer overflow 



MBA image size comparison check is currently being
done with a signed count whose value can possibly be
negative. If count value is negative then comparison
will always succeed and invoke memcpy with incorrect
value of count leading to buffer overflow. Fix this
by not using signed comparison.

Change-Id: Id2d0cafae01f940f36cfd559d4656fc0f022d6a5
Signed-off-by: default avatarKaushal Kumar <kaushalk@codeaurora.org>
parent 047ccea1

drivers/soc/qcom/pil-msa.c

+3 −4
Original line number Diff line number Diff line
@@ -534,7 +534,7 @@ int pil_mss_reset_load_mba(struct pil_desc *pil) 
	char *fw_name_p;

	void *mba_dp_virt;

	dma_addr_t mba_dp_phys, mba_dp_phys_end;

	int ret, count;

	int ret;

	const u8 *data;

	struct device *dma_dev = md->mba_mem_dev_fixed ?: &md->mba_mem_dev;
@@ -595,10 +595,9 @@ int pil_mss_reset_load_mba(struct pil_desc *pil) 
			&mba_dp_phys, &mba_dp_phys_end, drv->mba_dp_size);



	/* Load the MBA image into memory */

	count = fw->size;

	if (count <= SZ_1M) {

	if (fw->size <= SZ_1M) {

		/* Ensures memcpy is done for max 1MB fw size */

		memcpy(mba_dp_virt, data, count);

		memcpy(mba_dp_virt, data, fw->size);

	} else {

		dev_err(pil->dev, "%s fw image loading into memory is failed due to fw size overflow\n",

			__func__);