crash-decode: do not eval() linker script memory expressions

lrgirdwo · lrgirdwo · commit 98f2ca696a13 · 2026-06-11T14:40:46.000+01:00
The crash-decode helper evaluated arithmetic from a user-supplied linker
script with eval(), so a crafted crash bundle could run arbitrary Python
on the analyst's machine. Parse the expressions with a restricted
evaluator that only accepts integer literals and basic arithmetic
operators.

Signed-off-by: Liam Girdwood &lt;liam.r.girdwood@linux.intel.com&gt;
diff --git a/scripts/sof-crash-decode.py b/scripts/sof-crash-decode.py
@@ -35,6 +35,42 @@
 import os
 import json
 import shlex
+import ast
+import operator
+
+
+# Operators allowed when evaluating arithmetic from an untrusted linker script.
+_SAFE_OPS = {
+    ast.Add: operator.add, ast.Sub: operator.sub,
+    ast.Mult: operator.mul, ast.Div: operator.floordiv,
+    ast.Mod: operator.mod, ast.LShift: operator.lshift,
+    ast.RShift: operator.rshift, ast.BitOr: operator.or_,
+    ast.BitAnd: operator.and_, ast.BitXor: operator.xor,
+    ast.USub: operator.neg, ast.UAdd: operator.pos,
+}
+
+
+def safe_eval_int(expr):
+    """Evaluate an integer arithmetic expression without executing code.
+
+    A crash bundle's linker.cmd is attacker-controllable, so its MEMORY
+    expressions must never be passed to eval(). Only integer literals and
+    basic arithmetic operators are accepted; anything else raises ValueError.
+    """
+    def _eval(node):
+        if isinstance(node, ast.Expression):
+            return _eval(node.body)
+        if isinstance(node, ast.Constant):
+            if isinstance(node.value, int):
+                return node.value
+            raise ValueError("non-integer constant")
+        if isinstance(node, ast.BinOp) and type(node.op) in _SAFE_OPS:
+            return _SAFE_OPS[type(node.op)](_eval(node.left), _eval(node.right))
+        if isinstance(node, ast.UnaryOp) and type(node.op) in _SAFE_OPS:
+            return _SAFE_OPS[type(node.op)](_eval(node.operand))
+        raise ValueError("unsupported expression")
+
+    return _eval(ast.parse(expr, mode='eval'))
 
 XTENSA_EXCCAUSE = {
     0: "No Error (or IllegalInstruction)",
@@ -151,8 +187,8 @@ def parse_linker_cmd(filepath):
                         org_expr = m_org.group(1).strip()
                         len_expr = m_len.group(1).strip()
                         try:
-                            org_val = eval(org_expr)
-                            len_val = eval(len_expr)
+                            org_val = safe_eval_int(org_expr)
+                            len_val = safe_eval_int(len_expr)
                             # Ignore debug regions
                             if not (name.startswith('.debug') or name.startswith('.stab')):
                                 regions.append({'name': name, 'start': org_val, 'end': org_val + len_val})
