Re: [v2 PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-04 Thread Mark Brown
On Thu, 4 Jun 2020 14:47:31 +0900, Steve Lee wrote: > malformed firmware file can cause out-of-bound access and crash > during dsm_param bin loading. > - add MIN/MAX param size to avoid out-of-bound access. > - read start addr and size of param and check bound. > - add condition that fw->si

[v2 PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-03 Thread Steve Lee
malformed firmware file can cause out-of-bound access and crash during dsm_param bin loading. - add MIN/MAX param size to avoid out-of-bound access. - read start addr and size of param and check bound. - add condition that fw->size > param_size + _PAYLOAD_OFFSET to confirm enough data.

RE: [PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-03 Thread Steve Lee
m; > srinivas.kandaga...@linaro.org; k...@kernel.org; dmur...@ti.com; > jack...@realtek.com; nuno...@analog.com; linux-kernel@vger.kernel.org; > alsa-de...@alsa-project.org; ryan.lee.ma...@gmail.com; Ryan Lee > ; steves.lee.ma...@gmail.com > Subject: Re: [PATCH] ASoC: max98390:

Re: [PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-03 Thread Mark Brown
On Wed, Jun 03, 2020 at 11:37:44AM +, Steve Lee wrote: > > This is now reading the size out of the header of the file which is good > > but it > > should also validate that the file is big enough to have this much data in > > it, > > otherwise it's possible to read beyond the end of the firm

RE: [PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-03 Thread Steve Lee
shumi...@realtek.com; > srinivas.kandaga...@linaro.org; k...@kernel.org; dmur...@ti.com; > jack...@realtek.com; nuno...@analog.com; linux-kernel@vger.kernel.org; > alsa-de...@alsa-project.org; ryan.lee.ma...@gmail.com; Ryan Lee > ; steves.lee.ma...@gmail.com > Subject: Re: [PATCH] ASoC: max98390:

Re: [PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-03 Thread Mark Brown
On Wed, Jun 03, 2020 at 08:18:19PM +0900, Steve Lee wrote: > + param_start_addr = (dsm_param[0] & 0xff) | (dsm_param[1] & 0xff) << 8; > + param_size = (dsm_param[2] & 0xff) | (dsm_param[3] & 0xff) << 8; > + if (param_size > MAX98390_DSM_PARAM_MAX_SIZE || > + param_start_add

RE: [PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-03 Thread Steve Lee
shumi...@realtek.com; > srinivas.kandaga...@linaro.org; k...@kernel.org; dmur...@ti.com; > jack...@realtek.com; nuno...@analog.com; linux-kernel@vger.kernel.org; > alsa-de...@alsa-project.org; ryan.lee.ma...@gmail.com; Ryan Lee > ; steves.lee.ma...@gmail.com > Subject: Re: [PATCH]

Re: [PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-03 Thread Takashi Iwai
On Wed, 03 Jun 2020 13:18:19 +0200, Steve Lee wrote: > > @@ -847,7 +861,6 @@ static int max98390_probe(struct snd_soc_component > *component) > > /* Dsm Setting */ > regmap_write(max98390->regmap, DSM_VOL_CTRL, 0x94); > - regmap_write(max98390->regmap, DSMIG_EN, 0x19); Is this

[PATCH] ASoC: max98390: Fix potential crash during param fw loading

2020-06-03 Thread Steve Lee
malformed firmware file can cause out-of-bound access and crash during dsm_param bin loading. - add MIN/MAX param size to avoid out-of-bound access. - read start addr and size of param and check bound. Signed-off-by: Steve Lee --- sound/soc/codecs/max98390.c | 23 ++- s