Good morning, On Mon, 23 Mar 2026 at 01:04, Pengpeng Hou <[email protected]> wrote: > > rproc_handle_resources() trusts table_ptr->num when it walks the offset[] > array, but it does not first verify that the loaded resource table is > large enough to actually contain that many offsets. A malformed firmware > image can therefore force the loop to read past the end of the table > header before any per-entry bounds checks run. > > Reject resource tables whose offset array does not fit inside the loaded > section. > > Signed-off-by: Pengpeng Hou <[email protected]> > --- > drivers/remoteproc/remoteproc_core.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/remoteproc/remoteproc_core.c > b/drivers/remoteproc/remoteproc_core.c > index b087ed21858a..47fdfe5c2124 100644 > --- a/drivers/remoteproc/remoteproc_core.c > +++ b/drivers/remoteproc/remoteproc_core.c > @@ -1022,6 +1022,12 @@ static int rproc_handle_resources(struct rproc *rproc, > if (!rproc->table_ptr) > return 0; > > + if (struct_size(rproc->table_ptr, offset, > + rproc->table_ptr->num) > rproc->table_sz) {
This check is already present in here: https://elixir.bootlin.com/linux/v7.0-rc5/source/drivers/remoteproc/remoteproc_elf_loader.c#L305 Thanks, Mathieu > + dev_err(dev, "resource table is truncated\n"); > + return -EINVAL; > + } > + > for (i = 0; i < rproc->table_ptr->num; i++) { > int offset = rproc->table_ptr->offset[i]; > struct fw_rsc_hdr *hdr = (void *)rproc->table_ptr + offset; > -- > 2.50.1 (Apple Git-155) >
