lib_manager: bound build info offset to the library size

lrgirdwo · lrgirdwo · commit 4c1690894d4d · 2026-06-11T14:40:46.000+01:00
The build info pointer was derived from a manifest-supplied text segment
offset without bounds, so a crafted manifest could read outside the
library buffer. Validate the offset against the library image size
before dereferencing and fail the module type lookup otherwise.

Signed-off-by: Liam Girdwood &lt;liam.r.girdwood@linux.intel.com&gt;
diff --git a/src/library_manager/lib_manager.c b/src/library_manager/lib_manager.c
@@ -574,6 +574,21 @@ static enum buildinfo_mod_type lib_manager_get_module_type(const struct sof_man_
 	if (module_is_llext(mod))
 		return MOD_TYPE_LLEXT;
 
+	/*
+	 * build_info is derived from a manifest-supplied file_offset; bound it
+	 * against the library image size before dereferencing so a crafted
+	 * offset cannot read outside the library buffer.
+	 */
+	{
+		const size_t lib_size = (size_t)desc->header.preload_page_count * PAGE_SZ;
+		const uint32_t text_off = mod->segment[SOF_MAN_SEGMENT_TEXT].file_offset;
+
+		if (text_off > lib_size || lib_size - text_off < sizeof(*build_info)) {
+			tr_err(&lib_manager_tr, "Invalid TEXT file_offset %u", text_off);
+			return MOD_TYPE_INVALID;
+		}
+	}
+
 	tr_info(&lib_manager_tr, "Module API version: %u.%u.%u, format: 0x%x",
 		build_info->api_version_number.fields.major,
 		build_info->api_version_number.fields.middle,
