greybus: firmware: fix information leak

Add missing sanity checks on get_firmware-request offset and size parameters to fix potential information leaks. This prevents remotely controlled information leaks as the requestor currently controls both the 32-bit firmware-image offset and the amount of data that is returned (up to host-device MTU). Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

greybus: firmware: fix information leak
Add missing sanity checks on get_firmware-request offset and size parameters to fix potential information leaks. This prevents remotely controlled information leaks as the requestor currently controls both the 32-bit firmware-image offset and the amount of data that is returned (up to host-device MTU). Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
98645a9c · Johan Hovold · Greg Kroah-Hartman · 81ad6994 · 98645a9c
Commit 98645a9c authored Nov 19, 2015 by Johan Hovold Committed by Greg Kroah-Hartman Nov 19, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

drivers/staging/greybus/firmware.c drivers/staging/greybus/firmware.c +9 -2

No files found.
--- a/drivers/staging/greybus/firmware.c
+++ b/drivers/staging/greybus/firmware.c
@@ -87,6 +87,7 @@ static int gb_firmware_get_firmware(struct gb_operation *op)
 {
 	struct gb_connection *connection = op->connection;
 	struct gb_firmware *firmware = connection->private;
+	const struct firmware *fw = firmware->fw;
 	struct gb_firmware_get_firmware_request *firmware_request = op->request->payload;
 	struct gb_firmware_get_firmware_response *firmware_response;
 	struct device *dev = &connection->bundle->dev;
@@ -99,7 +100,7 @@ static int gb_firmware_get_firmware(struct gb_operation *op)
 		return -EINVAL;
 	}

-	if (!firmware->fw) {
+	if (!fw) {
 		dev_err(dev, "%s: firmware not available\n", __func__);
 		return -EINVAL;
 	}
@@ -107,6 +108,12 @@ static int gb_firmware_get_firmware(struct gb_operation *op)
 	offset = le32_to_cpu(firmware_request->offset);
 	size = le32_to_cpu(firmware_request->size);

+	if (offset >= fw->size || size > fw->size - offset) {
+		dev_warn(dev, "bad firmware request (offs = %u, size = %u)\n",
+				offset, size);
+		return -EINVAL;
+	}
+
 	if (!gb_operation_response_alloc(op, sizeof(*firmware_response) + size,
 					 GFP_KERNEL)) {
 		dev_err(dev, "%s: error allocating response\n", __func__);
@@ -114,7 +121,7 @@ static int gb_firmware_get_firmware(struct gb_operation *op)
 	}

 	firmware_response = op->response->payload;
-	memcpy(firmware_response->data, firmware->fw->data + offset, size);
+	memcpy(firmware_response->data, fw->data + offset, size);

 	return 0;
 }