rproc_handle_resources() trusts table_ptr->num when it walks the offset[] array, but it does not first verify that the loaded resource table is large enough to actually contain that many offsets. A malformed firmware image can therefore force the loop to read past the end of the table header before any per-entry bounds checks run.
Reject resource tables whose offset array does not fit inside the loaded section. Signed-off-by: Pengpeng Hou <[email protected]> --- drivers/remoteproc/remoteproc_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c index b087ed21858a..47fdfe5c2124 100644 --- a/drivers/remoteproc/remoteproc_core.c +++ b/drivers/remoteproc/remoteproc_core.c @@ -1022,6 +1022,12 @@ static int rproc_handle_resources(struct rproc *rproc, if (!rproc->table_ptr) return 0; + if (struct_size(rproc->table_ptr, offset, + rproc->table_ptr->num) > rproc->table_sz) { + dev_err(dev, "resource table is truncated\n"); + return -EINVAL; + } + for (i = 0; i < rproc->table_ptr->num; i++) { int offset = rproc->table_ptr->offset[i]; struct fw_rsc_hdr *hdr = (void *)rproc->table_ptr + offset; -- 2.50.1 (Apple Git-155)
