| From a44f9d6f9dc1fb314a3f1ed2dcd4fbbcc3d9f892 Mon Sep 17 00:00:00 2001 |
| From: "Gustavo A. R. Silva" <gustavoars@kernel.org> |
| Date: Tue, 10 Aug 2021 19:09:55 +0200 |
| Subject: media: staging/intel-ipu3: css: Fix wrong size comparison imgu_css_fw_init |
| |
| From: Gustavo A. R. Silva <gustavoars@kernel.org> |
| |
| commit a44f9d6f9dc1fb314a3f1ed2dcd4fbbcc3d9f892 upstream. |
| |
| There is a wrong comparison of the total size of the loaded firmware |
| css->fw->size with the size of a pointer to struct imgu_fw_header. |
| |
| Turn binary_header into a flexible-array member[1][2], use the |
| struct_size() helper and fix the wrong size comparison. Notice |
| that the loaded firmware needs to contain at least one 'struct |
| imgu_fw_info' item in the binary_header[] array. |
| |
| It's also worth mentioning that |
| |
| "css->fw->size < struct_size(css->fwp, binary_header, 1)" |
| |
| with binary_header declared as a flexible-array member is equivalent |
| to |
| |
| "css->fw->size < sizeof(struct imgu_fw_header)" |
| |
| with binary_header declared as a one-element array (as in the original |
| code). |
| |
| The replacement of the one-element array with a flexible-array member |
| also helps with the ongoing efforts to globally enable -Warray-bounds |
| and get us closer to being able to tighten the FORTIFY_SOURCE routines |
| on memcpy(). |
| |
| [1] https://en.wikipedia.org/wiki/Flexible_array_member |
| [2] https://www.kernel.org/doc/html/v5.10/process/deprecated.html#zero-length-and-one-element-arrays |
| |
| Link: https://github.com/KSPP/linux/issues/79 |
| Link: https://github.com/KSPP/linux/issues/109 |
| |
| Fixes: 09d290f0ba21 ("media: staging/intel-ipu3: css: Add support for firmware management") |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> |
| Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/staging/media/ipu3/ipu3-css-fw.c | 7 +++---- |
| drivers/staging/media/ipu3/ipu3-css-fw.h | 2 +- |
| 2 files changed, 4 insertions(+), 5 deletions(-) |
| |
| --- a/drivers/staging/media/ipu3/ipu3-css-fw.c |
| +++ b/drivers/staging/media/ipu3/ipu3-css-fw.c |
| @@ -124,12 +124,11 @@ int imgu_css_fw_init(struct imgu_css *cs |
| /* Check and display fw header info */ |
| |
| css->fwp = (struct imgu_fw_header *)css->fw->data; |
| - if (css->fw->size < sizeof(struct imgu_fw_header *) || |
| + if (css->fw->size < struct_size(css->fwp, binary_header, 1) || |
| css->fwp->file_header.h_size != sizeof(struct imgu_fw_bi_file_h)) |
| goto bad_fw; |
| - if (sizeof(struct imgu_fw_bi_file_h) + |
| - css->fwp->file_header.binary_nr * sizeof(struct imgu_fw_info) > |
| - css->fw->size) |
| + if (struct_size(css->fwp, binary_header, |
| + css->fwp->file_header.binary_nr) > css->fw->size) |
| goto bad_fw; |
| |
| dev_info(dev, "loaded firmware version %.64s, %u binaries, %zu bytes\n", |
| --- a/drivers/staging/media/ipu3/ipu3-css-fw.h |
| +++ b/drivers/staging/media/ipu3/ipu3-css-fw.h |
| @@ -171,7 +171,7 @@ struct imgu_fw_bi_file_h { |
| |
| struct imgu_fw_header { |
| struct imgu_fw_bi_file_h file_header; |
| - struct imgu_fw_info binary_header[1]; /* binary_nr items */ |
| + struct imgu_fw_info binary_header[]; /* binary_nr items */ |
| }; |
| |
| /******************* Firmware functions *******************/ |