Skip to content

Commit 6f3f607

Browse files
vijendarmukundavijendarmukunda
committed
ASoC: SOF: amd: sanity-check decoded ACP7 signed firmware length
After reading SizeFWSigned and adding the header size, the resulting length must be non-zero and must not exceed the firmware buffer we were given. Reject corrupt headers or truncated images before starting SHA DMA. Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
1 parent 1296f81 commit 6f3f607

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

sound/soc/sof/amd/acp-loader.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,11 @@ int acp_dsp_pre_fw_run(struct snd_sof_dev *sdev)
184184
size_fw = get_unaligned_le32(adata->bin_buf +
185185
ACP_IMAGE_HDR_SIZE_FW_SIGNED_OFF);
186186
size_fw += ACP_IMAGE_HEADER_SIZE;
187+
if (!size_fw || size_fw > adata->fw_bin_size) {
188+
dev_err(sdev->dev, "Invalid signed firmware header size %u (max %u)\n",
189+
size_fw, adata->fw_bin_size);
190+
return -EINVAL;
191+
}
187192
} else {
188193
size_fw = adata->fw_bin_size;
189194
}

0 commit comments

Comments
 (0)